Respond

New features in Advanced Hunting – Microsoft 365 Defender

During Ignite, Microsoft has announced a new set of features in the Advanced Hunting in Microsoft 365 Defender.

These features will definitely help you in the Threat Hunting process and also reduce the gap between analysts, responders and threat hunters and simplify the life of a threat hunter.

Multi-tab support

When having hunting training classes, I usually recommend to use multiple browser tabs. One for the query development, and one used to go back to previous queries to see how some things were done earlier.

for example, if you are developing a hunting query and need an if statement, external data, regex or other more advanced features it is easier to just open a previous query to see how it was solved last time. At least until you get more fluent in KQL. This is to avoid having to save your new query, go back to the old one, and then back to the new again

With the multi-tab support we can open the query in a new tab

Resource usage

The new Hunting Page will now provide the resource usage for the query both timing and an indicator of the resource usage

This will make it easy to see when query optimization is recommended and needed.
You could for example use equals, has instead of contains, remove columns not used to reduce the dataset etc. Of course, when it’s feasible.

If you would like to learn more about how to optimize queries, please visit:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?view=o365-worldwide

UX

Schema, Functions, Queries and Detection Rules have been separated into tabs for, according to my opinion, easier access and pivoting which will give a better overview in each tab.

Schema Reference

The schema reference will open as a side pane




When looking at one of the *events tables, the ActionType column is very useful to see which events are being logged.
Earlier, I usually selected distinct ActionType in the query to have a look at the events being logged. Now, it’s possible to use the quick access from the portal to expand all action types for a specific table.

Above image shows the action types for DeviceFileEvents. In the DeviceEvents there are around 180 different action types to query.

For the hunting query development and hunting use-cases, the action types is a great go-to resource.

The columns in the schema reference is clickable and can in a simple way be added to the query

Simple query management

Inspect record

The inspect record pane is an easy way to see the data for one single row. When developing new queries I usually take a subset of data (take/limit 20) to see an overview of the results, and also select an event to see all data instead of side scrolling through all columns when needed.

New features in inspect record is that we can do quick filters which will be added to the query.

In this example we would like to know more about process executions from the C:\AttackTools folder

If we would like other pre-defined FolderPath filters, we can select View more filters for FolderPath
We can continue the query development and as in below example, get the count for each file in the folder specified in the query.

Last but definitely not leastLink the query results to an incident

This is my favorite, this will reduce the gap and simplify the process between threat hunters, responders, and analysts.

By selecting the relevant events in the result, they can be added to an existing incident, or create a new incidents.

This feature will help organizations to define the threat hunting both in a proactive hunting scenario, and in a reactive, post breach scenario when the hunters will assist analysts and responder with a simplified process.

How to link the data to an incident

To be able to link the data you need to have the following columns in the output

  • Timestamp
  • DeviceId/AccountObjectID/AccountSid/RecipientEmailAddress (Depending on query table)
  • ReportId

Develop and run the query

Please note, you cannot have multiple queries in the query window when linking to incident

Choose to create a new incident or link to an existing

Add the necessary details and click next
Select the impacted entities
After finishing the wizard, the data will end up in a new alert in the incident

Last tip

Run a quick check in your environment to see if you have remote internet-based logon attempts on your devices by looking for RemoteIPType == “Public”. There are other where RemoteIPType is useful, like processes communicating with Internet.

Happy Hunting!

Application Consent – Protect Detect and Respond

As companies raise their bars and protect more and more accounts with Multi-factor Authentication the attacks are twisting with new angles. The method of using Application Consent is nothing new but attackers haven’t had a need to use it as a stolen password is normally less friction.

So what is Application Consent, Application consent is a way to grant permissions to Applications to access your data that they need to perform their specific Task. An example could be a be a Travel App that needs to read your Travel itinerary so that it can automatically update your Calendar with Flight Data or other information.

I am sure everyone has seen a App Consent Screen

Source: Microsoft docs

Kevin Mitnick did a malicious Ransomware PoC roughly with Application Consent two years ago around this, feel free to watch the demo on the youtube link.

Application Control Protect

The first thing you should ask your selves, do you allow your users to Grant Permissions themselves of their data or have you as an organization centrally taken this control?

The settings can be configured under your Azure Active Directory

First off can your users Register Applications themselves or is this under central control?

AAD > User Settings > Enterprise Applications

So if you do not allow this the users would never be able to allow an App consent either, but if you do you can control how much data they can share and under what circumstances, you will find a few options in the detailed settings below.

AAD > Enterprise Applications > User Settings

AAD > Enterprise Applications > Consent and Permissions > User Consent Settings (Preview at the time of writing)

  • Do not allow user consent
  • Allow user consent for apps from verified publishers
  • Allow user consent for Apps

Allowing users to allow Apps will put you at risk as they can be lured into accepting an Application Consent. This is not only sensitive from a Security Threat perspective, but also from a privacy / secrecy perspective where third party apps malicious or not are for an example being granted access to PII or Customer Data.

Here you need to find the balance between control and risk on how much you can detect. With the “Allow user consent for apps from verified publishers” you also have the option to control what data and methods are being granted as well. Not that the offline_access is something you need to review thoroughly as that opens up your exposure.

Another possibility that exists is also to user a Admin Consent Requests, in this case a User can request a consent that an Admin will have to review and approve or deny.

AAD > Enterprise Applications > User Settings

Application Control Detection

There are a few ways to see and detect Application Consent, either you create a manual process to review this on a schedule or you use the tools you have at hand. Some examples on what you can use below depending on how you are licensed and how you have integrated Logs.

If you have integrated Office 365 Logs to Azure Sentinel this is an example query to find application consent activity.

AuditLogs 
| where OperationName == "Consent to application"
| extend displayName_ = tostring(TargetResources[0].displayName)
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project displayName_, userPrincipalName_, ActivityDateTime 

Application Control Respond

So what can you do if you find Applications that you suspect are doing malicious activities or is putting your data at risk.

You have a few options, start with documenting and putting a timeline with all the activities you are taking, its easy to forget when you need to go back in time.

  • Block Sign-in to Application
  • Remove Users from the Application
  • Remove the Application Completely
  • Ban/Block Application in MCAS
  • Review Permissions under the App in AAD

I wouldn’t recommend removing the app until your investigations is complete, id rather block the Login. Depending on that tools you have you can start going through your audit logs in relation to this app.

More Reading

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide

24/7 protection during Covid-19 – Defender ATP Auto IR

One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.

Especially now, where you might be short on staff, and the Covid-19 virus can strike at the SOC organization or reduce the numbers of available people.

Of course, this does not only apply during the world crisis of Covid-19. Automation is also a help in the normal day to day work.

There are benefits of being able to automate responses and we have these discussions with many customers.

MDATP Automatic self-healing is built-in into Defender ATP and is mimicking these ideal steps a human would take to investigate and remediate organizational assets, impacted by a cyber threat.

This is done using 20 built-in investigation playbooks and 10 remediation actions

Increased Capacity

  • Respond at the speed of automation
  • Investigate and remediate all alerts automatically
  • Free up critical resources to work on strategic initiatives

Cost implications

  • It will drive down the cost per investigation and remediation
  • Takes away manual, repetitive tasks
  • Automated remediation eliminates downtime

Get full value of your protection suite and people, quick configuration and you are up and running

SecOps Investigation (Manual)

Sometimes it will take some time from the alert being triggered until someone has the time to start looking at it.  Manual work also requires more resources for review and approval for each action

From a SecOPs perspective, an initial response involves information gathering.

Collecting:

  1. Process list
  2. Services
  3. Drivers
  4. Network connections
  5. Files created
    1. Where did the file originate from?
    1. etc

Based on our results, we will decide the remediation steps (if we do not follow a playbook here, the catch will be different result depending on who makes the response).

Remediation:

The remediation will include connecting remotely or manually collect the device and then launch tools for the remediation process.

Automatic response with Auto IR

Fast time to respond which will avoid additional damage and compromise of additional devices, when attackers will start moving lateral in the environment.

It’s our 24/7 buddy who assists the SOC staff to remediate threats so the human staff can focus on other things

  1. MDATP is sending telemetry data to the cloud
  2. MDATP cloud continuously analyzes the data to detect threats
  3. Once a threat is identitfied an alert is being raised
  4. The alert kicks off a new automated investigation
  5. AIRS component asks Sense client to initiate SenseIR
  6. SenseIR is then orchestrated by AIRS on what action should be executed (Collection/Remediation)
  7. Based on the data collected from the machine (current and historical) AIRS decides what actions should be taken
  8. For every threat identified, AIRS will automatically analyze the best course of action and tailor a dedicated surgical remediation action to be executed using on device components (e.g. Windows Defender Antivirus)

Playbook is executed

“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident  to ensure that nothing is missed.

Data Collection

  • Volatile data
    • All processes list – main image, loaded modules, handles, suspicious memory sections
    • All services list
    • All drivers list
    • All connections
  • None-Volatile data
    • Recently created files – x minutes febore / after alert
    • All persistence methods
    • Recently executed files
    • Download location

Incrimination

  • Microsoft Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML infrastructure etc.
  • Custom TI indicators – for allow / block list

Remediation

  • How?
    • By leveraging OS components (e.g. Defender Antivirus) to perform the remediation (prebuilt into the system, low level actions (driver), tried and tested)
  • What?
    • File actions
    • Process actions
    • Service actions
    • Registry actions
    • Driver actions
    • Persistency methods (Reg, Link files, etc.) actions
    • Scheduled task actions
    • More…

Getting started

Advanced Features (edited list)
  • In machine groups select Add machine group

As you can see in the options, you can select different AutoIR levels

Summary

Go auto approval, save time and protect your business!

Happy Hunting

SANS Threat Hunting Summit – Link list

Thank you for attending our session at Sans Threat Hunting & IR Summit in London.

Here are some resources as promised during our session which may help.

Threat Hunting

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/hunting

https://blog.sec-labs.com/2018/06/threat-hunting-with-windows-defender-atp/

https://blog.sec-labs.com/2019/10/hunting-for-minint-security-audit-block-in-registry/

https://blog.sec-labs.com/2019/07/hunt-for-nuget-squirrel-update/

Power Automate / Logic Apps

https://docs.microsoft.com/en-us/cloud-app-security/flow-integration

https://docs.microsoft.com/en-us/power-automate/

https://docs.microsoft.com/en-us/azure/logic-apps/

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-create-api-app

Azure Automation:

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

https://docs.microsoft.com/en-us/azure/automation/shared-resources/credentials

Configuration

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/best-practices-for-configuring-eop

https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/turn-on-modern-auth

https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score

Auditing and Logs

https://support.microsoft.com/en-gb/help/4026501/office-auditing-in-office-365-for-admins

https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing

Investigation

https://github.com/OfficeDev/O365-InvestigationTooling

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations

https://docs.microsoft.com/en-us/cloud-app-security/investigate-risky-oauth

https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions

API

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview

https://docs.microsoft.com/en-us/cloud-app-security/investigate-activities-api

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/apis-intro

https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0

Free Training resources

https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch

Happy Hunting!

follow us on twitter @mattiasborg82 and @stefanschorling

Azure Sentinel is now GA

Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available

azure sentinel

Some of the new features are:

  • Workbooks are replacing dashboards, providing for richer analytics and visualizations
  • New Microsoft and 3rd party connectors

Detection and hunting:

  • Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
  • Easy elevation of MTP alerts to Sentinel incidents.
  • Built-in detection rules utilizing the threat intelligence connector.
  • New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
  • Template playbooks now available on Github.
  • New threat hunting queries and libraries for Jupyter Notebooks

Incidents:

  • The interactive investigation graph is now publicly available.
  • Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.

MSSP and enterprise support:

  • Azure Lighthouse for multi-tenant management
  • RBAC support

For further information:

Pricing: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
Product page: https://azure.microsoft.com/en-us/services/azure-sentinel/
Documentation: https://docs.microsoft.com/en-us/azure/sentinel/

Happy Hunting

Gartner EPP Magic quadrant 2019 – Defender in the leading quadrant

The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP).
Microsoft is named a leader!

With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.

Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.

Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.

The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP,
Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.

Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.

Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.

In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.

Gartner

The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.

Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.

The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.

Automated investigations

Build your playbooks

Take back the control with live response

We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate

Threat hunting

Full gartner report:
https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=190731&st=sb&fbclid=IwAR3G9Otpxuc52bi0hpFE4-iGv8uhvgnxtSl0boqAU7-R4aw5MyLsuyy0fLg

Congratulations Microsoft, we’re looking forward for all coming features

Happy Hunting!

Hunt for nuget/Squirrel update vulnerability

A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.

https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12

In the post, Teams is mentioned as example but other affected application were mentioned on twitter.

So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!

To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.

Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.

To make it more easy to overview we’re adding the URL to a column

To continue this we can count unique URL’s to find anomalies

Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1), 
                       ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1), 
                       "Default")
| where exeURL != "Default"
| sort by EventTime desc 
|project EventTime, 
          ComputerName,
          exeURL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.

Happy Hunting!

March updates to Windows 10 for Cloud App Discovery integration in MDATP

Who doesn’t want to get in control of their Cloud App Usage, and get a nice cloud usage dashboard like this?

With the latest March 2019 Updates to Windows 10, 1709 and 1803 Microsoft has back ported the Cloud App Discovery Capabilities from 1809 so now you will get Discovery Data from Windows 10 devices ranging from 1709 and above, all you need to do is to enable the integration and your machines that are on boarded to MDATP will start reporting in.

Microsoft has also included some back porting regarding Automatic Investigation, Remediation, Memory Forensic.

Happy Hunting

https://support.microsoft.com/en-us/help/4489890/windows-10-update-kb4489890
https://support.microsoft.com/en-us/help/4489894/windows-10-update-kb4489894

Defender ATP and PowerBI

Maybe, you don’t want management in the ATP portal, even though it’s configurable via roles, and maybe they don’t want to be there.

One thing I know is that most managers loves numbers, so why not provide them with a PowerBI report.

You can perfectly use cloud based option and there is an app for Windows Defender ATP already there for you to use.

Configure your connector and you’re all good to go

The dasboard looks like the following picture

With the many different tiles you, or your manager, can dig deeper in to events like in this following example with alert status

It’s also possible to filter data based on who a case was assigned to, who resolved the case etc.

If you have a PowerBI Pro account, you could subscribe to get scheduled reports.

You can also to quick filter

This is an easy win for your manager

New features added to WD ATP

In the September release one of our most wanted features was added to WD ATP preview, Custom detection with scheduled queries.

This means that you can now develop your own hunting queries and run them every day automatically.

For this example we created a query to find a simple reverse shell from a Linux machine which runs Ziften.

Next step is to create a detection rule for the Query

detection rule

You can add Alert Title, Severity, Category, Description and Recommended actions.

It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).

It’s possible to change this infomation later on.

detection rule page

On the Detection Rule page you can see the alerts and other information regards the detection rule.

All the rules will be listed at the left side in the hunting section.

custom detection

For further infomation about the new preview features please go to this url:

https://techcommunity.microsoft.com/t5/What-s-New/WDATP-September-2018-preview-features-are-out/m-p/242254#M95

Happy hunting!

/Sec-Labs