Respond

Assigning severity to incidents and other features are now GA

The speed of how new useful functionalities in Microsoft Defender XDR, previously Microsoft 365 Defender, are being developed is very high. From this perspective it is super important to send feedback, not only things that may not work as you expected or if there is an error, but also new feature requests.

Some new features which was released in GA in February is within the incident management space.

Change incident severity

When a incident is being generated, the severity is based on the alert with highest severity. If the severity is wrong, you can change it by opening the manage incident which will open the incident pane.

Assign incident to a group

Instead of only assign the incident to a specific individual (who might be on a leave), it is now possible to assign the incident to a group by opening the manage incident which will open the incident pane.

Go hunt directly from attack story

When selecting an item in the attack story, you will get an option for “Go Hunt” which will give you the options to choose between All activities, Related alerts and See all available queries

When selecting a query, you will have the response in the same window. The positive thing with this is that you don’t have to move away from the incident view. If you want to continue the hunting you have the option to “Open in advanced hunting”

Happy Hunting!

Threat Hunting and the New Hunts in Sentinel

Establishing a Proactive Hunting program is something which is useful and necessary today.

From working with proactive threat hunting for a long time, from when data was not available at your fingertips, things has become a lot easier in the era of SIEM and over the last years, EDR and XDR.

The technical part is the easy one. The process of establishing your hunting and connect it with existing processes is usually what’s difficult.

What is proactive Hunting?

First, what is threat hunting?

To dive in to this topic I want to point out activities that are somewhat related

The custom detections or scheduled rules is pretty clear what it is. but Tasks is something which sits in between Proactive Threat Hunting and Custom Detections.
Tasks are things discovered in Hunting, and data of interest but cannot be set as a custom detection as of yet.

The reasons could be many, but for example to noisy data and no good correlation values or near-time events that can be used to reduce False-Positives. Even though we have finalized our hypothesis from threat hunting we might want to follow-up on the events, maybe on a daily basis, but we cant have it scheduled since it will give an incident fatigue.

To summarize tasks, it’s queries that might make it to a detection but for now we run it automatically or manual and do manual review on the result on a daily schedule.

To iterate back to threat hunting before we take a look at the hunts feature in Sentinel

Threat Hunting can be divided into 2 main pillars; Proactive and Reactive hunting

Proactive Threat Hunting is when you don’t know something is going on, like playing hide-n-seek, except for that you don’t know anyone is playing with you

Reactive Threat Hunting is post breach/post incident and you use threat hunting to find the outer boundaries of the incident, which could be other devices communicating with a specific IP, list all process communicating, find the same processes on other devices, and then which IP’s they are communicating with.

In the EDR era or now, the XDR era, threat hunting becomes easier on a technical level. The data collection happens automatically for many workloads and not only collected, it’s streamed.

With the power of Kusto Query Language, you can do advanced aggregations, anomaly calculations and visualizations to truly crunch and bend your data.

In Proactive Threat hunting, you will start your assignment by defining your Hypothesis, which could be something like “I would like to see if any local users have been added outside the process”

Then you check what ever data you need to discover such activities (DeviceEvents/DeviceProcessEvents hint hint) and you continue to develop the query for is and document your result.

Here is what makes Hunts feature so great. It actually allows for process integration, like we have in Microsoft 365 Defender where we can create incidents based on the results and have it handled by the incident process.

Hunts in Sentinel

Common use cases:

  • Proactively hunt based on specific MITRE techniques, potentially malicious activity, recent threats, or your own custom hypothesis.
  • Use security-researcher-generated hunting queries or custom hunting queries to investigate malicious behavior.
  • Conduct your hunts using multiple persisted-query tabs that enable you to keep context over time.
  • Collect evidence, investigate UEBA sources, and annotate your findings using hunt specific bookmarks.
  • Collaborate and document your findings with comments.
  • Act on results by creating new analytic rules, new incidents, new threat indicators, and running playbooks.
  • Keep track of your new, active, and closed hunts in one place.
  • View metrics based on validated hypotheses and tangible results.

In Sentinel go to Hunting and Hunts

Here is the list of previous hunts.

If you select New Hunt we can create a new

You can add the Hypothesis and choose if it’s Validated or not (which can be set later in the process by another Threat hunter)

When we have our new Hunting campaign, we can add queries

Adding Tactics and techniques and map entities

It’s possible to create incidents from the results to map to the incident process, and we can also start automated playbooks (entity-based) from the entity pane.

Summary

There are so many details on this feature and it has some many capabilities. The best part is that it has the process of hunting as its core. Now it’s easier to deliver threat hunting, as a service, as a consultant or if you work internally for an organization.

Happy Hunting

Force release from isolation in MDE

It rarely happens, but if it happens, you have a solution…

One of the best response actions in Microsoft Defender for Endpoint (A part of Microsoft 365 Defender) is isolate device. This locks the device in the network stack and will connect any threat actor immediately from the device, or stop the user from doing what they are doing.

This action do have some extra great features. For instance, it will allow connection to the Defender backend which allow SecOps to continue to monitor, run live response (another action which gives SecOps shell access to the endpoint) to further analyze any suspicious behavior.

So what’s force release from isolation?

force release from Isolation is a batch script which will add some registry values to the endpoint to force it to release from isolation. This could be used if something happens on the network side where the endpoint is connected or if there is any other error that could break the release from isolation function from the portal.

Even though it’s very rarely necessary, it’s great to have such feature if something happens.

Downloading script

  • Go to device page and click on the more actions menu
  • Select force release from isolation
  • Run the script with administrative privileges

Script information

  • The script can only be downloaded from the Defender portal ( https://security.microsoft.com )
  • The script is only working for 3 days after download
  • The script is only working for the specific endpoint you download it for
  • Must be executed with local admin privileges

Minimum Requirements

  • Supports only Windows
  • The following Windows versions are supported:
    • Windows 10 21H2 and 22H2 with KB KB5023773
    • Windows 11 version 21H2, all editions with KB5023774
    • Windows 11 version 22H2, all editions with KB5023778

for further information, please visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#forcibly-release-device-from-isolation

Happy Hunting!

Automated attack disruption of Ransomware and BEC – public preview

Automated attack disruption of Ransomware and BEC (Business email compromise uses high-confidence Extended Detection and Response (XDR) signals across all workloads; endpoints, identities, email, and SaaS apps, to contain the threat quickly and effectively, to stop further impact.

These 2 scenarios are common attacks and it’s really great that they are supported by the feature in Microsoft 365 Defender.

Business Email Compromise, BEC

Threat actors are impersonating executives to trick, for example, Economic department to transfer money by impersonating the CFO or the CEO.

Automatic attack disruption can help to detect these attacks and remove the access to the accounts by disabling the compromised account, limiting their ability to send fraudulent email

Human-operated ransomware, HumOR

This attack, commonly used today, is devastating for an organization. The threat actors has full control of the environment and have usually controlled the environment for some time.

The challenge from a SecOps perspective is to be fast enough to respond to the incidents and mitigate accounts and the devices fast enough.

When the threat actors has gained privileged access, things move very quick and automatic attack disruption will contain the spreader device and disable the compromised user account

Automatic attack disruption operates in 3 key stages

  • Detect malicious activity and establish high confidence
  • Classification of scenarios and identification of assets controlled by the attacker
  • Trigger automatic response actions using the Microsoft 365 Defender protection stack to contain the active attack

First the detection will happen, which is achieved by AI, research-information etc.., to establish a high level of confidence in accurately detecting ransomware spread and encryption activity. The XDR-level capability correlates insights across endpoints, identities, email and SaaS apps to establish high-fidelity alerts.

A second stage will aggregate automatic analyze the activities like tampering, backup deletion, credential theft, mass lateral movement and many more to flag the assets included in the chain and trace the activities back to the remote execution TTP

Distrupting the attack

Response actions against the entities which are identified as compromised and in the public preview these two are the main actions:

When this happens, it will be visible in the:

Incident queue

  • A tag titled “Attack Disruption” next to affected incidents

If you really must exclude some user from the automatic attack disruption, then you can do it in the MDI settings

Incident page

  • A tag titled “Attack Disruption”.
  • A yellow banner at the top of the page that highlights the automatic action taken.
  • The current asset status is shown in the incident graph if an action is done on an asset, e.g., account disabled or device contained.

Some thoughts

It’s important that prerequisites are fixed, like MDI Action Account (if not using built-in system account) and

For further reading, please visit
Automatic attack disruption in Microsoft 365 Defender | Microsoft Learn

Stay safe, Protect the world and Happy Hunting!

Live response is GA for Linux and macOS

Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.

Capabilities

  • Run basic and advanced commands to do investigative work on a device.
  • Download files such as malware samples and outcomes of PowerShell scripts.
  • Download files in the background (new!).
  • Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
  • Take or undo remediation actions.

Requirements

  • macOS – Minimum required version: 101.43.84. Supported for Intel-based and ARM-based macOS devices.
  • Linux – Minimum required version: 101.45.13

Happy Hunting

Containing unmanaged Devices in Defender

For a long time we have been able to isolate onboarded devices in Microsoft Defender for Endpoint. But if a device is not onboarded we could not take any response actions to an eventual threat.

Microsoft has released a feature called Contain device which basically makes the opposite, instead of isolating the compromised device, we can tell all managed devices that they cannot communicate with the specific unmanaged device.

If a contained device changes IP address, the blocking will be updated and changed to the new IP address and the old will be “released” from block.

Defender troubleshooting mode

Troubleshooting mode will make it possible for local admins on the endpoint to override Antivirus policy on the device, including tamper protection. When enabled it give the admin a 3 hour window to do what was intended. After the 3 hour window, the settings will be re-applied again.

Enabling Troubleshooting mode

Go to the Device page in Microsoft 365 Defender and click on the 3 dots menu item and select troubleshooting mode

In the Device action center we can see the following entry

Prerequisites

  • Windows 10 (version 19044.1618 and above)
    Windows 11
    Windows Server 2019
    Windows Server 2022
  • Microsoft Defender for Endpoint must be tenant-enrolled and active on the device. 
  • The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 and above. 

Hunting for events

//Use the following ActionType and the DeviceEvents table
DeviceEvents
| where ActionType == "AntivirusTroubleshootModeEvent"  

Happy Hunting!

Take actions from Threat Hunting in M365 Defender

We wrote a blog post earlier about the news in threat hunting

New features in Advanced Hunting – Microsoft 365 Defender – SEC-LABS R&D

Another feature in hunting, which will speed up responses from a threat hunting scenario is Take Action

When selecting a record in the result, the Take Action button will be visible as seen in below picture

take actions, m365 defender

So instead of just creating a new incident or adding events to an existing incident we can take actions from the hunting experience.

In the Take actions experience we have actions grouped by Devices, Files and Users.

actionable items, m365 defender

The action options available is dependent on the data in the result. For instance, file information like checksum is required to being able to quarantine a file.

When clicking Next we can see the target selected and click Next

We can add a Remediation name and Description for our action

This feature enables a rapid response at the fingertips of the threat hunters for immediate actions

For further information, please visit

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-worldwide

Happy Hunting!

Sec-Labs Team

New features in Advanced Hunting – Microsoft 365 Defender

During Ignite, Microsoft has announced a new set of features in the Advanced Hunting in Microsoft 365 Defender.

These features will definitely help you in the Threat Hunting process and also reduce the gap between analysts, responders and threat hunters and simplify the life of a threat hunter.

Multi-tab support

When having hunting training classes, I usually recommend to use multiple browser tabs. One for the query development, and one used to go back to previous queries to see how some things were done earlier.

for example, if you are developing a hunting query and need an if statement, external data, regex or other more advanced features it is easier to just open a previous query to see how it was solved last time. At least until you get more fluent in KQL. This is to avoid having to save your new query, go back to the old one, and then back to the new again

With the multi-tab support we can open the query in a new tab

Resource usage

The new Hunting Page will now provide the resource usage for the query both timing and an indicator of the resource usage

This will make it easy to see when query optimization is recommended and needed.
You could for example use equals, has instead of contains, remove columns not used to reduce the dataset etc. Of course, when it’s feasible.

If you would like to learn more about how to optimize queries, please visit:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?view=o365-worldwide

UX

Schema, Functions, Queries and Detection Rules have been separated into tabs for, according to my opinion, easier access and pivoting which will give a better overview in each tab.

Schema Reference

The schema reference will open as a side pane




When looking at one of the *events tables, the ActionType column is very useful to see which events are being logged.
Earlier, I usually selected distinct ActionType in the query to have a look at the events being logged. Now, it’s possible to use the quick access from the portal to expand all action types for a specific table.

Above image shows the action types for DeviceFileEvents. In the DeviceEvents there are around 180 different action types to query.

For the hunting query development and hunting use-cases, the action types is a great go-to resource.

The columns in the schema reference is clickable and can in a simple way be added to the query

Simple query management

Inspect record

The inspect record pane is an easy way to see the data for one single row. When developing new queries I usually take a subset of data (take/limit 20) to see an overview of the results, and also select an event to see all data instead of side scrolling through all columns when needed.

New features in inspect record is that we can do quick filters which will be added to the query.

In this example we would like to know more about process executions from the C:\AttackTools folder

If we would like other pre-defined FolderPath filters, we can select View more filters for FolderPath
We can continue the query development and as in below example, get the count for each file in the folder specified in the query.

Last but definitely not leastLink the query results to an incident

This is my favorite, this will reduce the gap and simplify the process between threat hunters, responders, and analysts.

By selecting the relevant events in the result, they can be added to an existing incident, or create a new incidents.

This feature will help organizations to define the threat hunting both in a proactive hunting scenario, and in a reactive, post breach scenario when the hunters will assist analysts and responder with a simplified process.

How to link the data to an incident

To be able to link the data you need to have the following columns in the output

  • Timestamp
  • DeviceId/AccountObjectID/AccountSid/RecipientEmailAddress (Depending on query table)
  • ReportId

Develop and run the query

Please note, you cannot have multiple queries in the query window when linking to incident

Choose to create a new incident or link to an existing

Add the necessary details and click next
Select the impacted entities
After finishing the wizard, the data will end up in a new alert in the incident

Last tip

Run a quick check in your environment to see if you have remote internet-based logon attempts on your devices by looking for RemoteIPType == “Public”. There are other where RemoteIPType is useful, like processes communicating with Internet.

Happy Hunting!

Download quarantined files is GA

As announced by Microsoft last week, the Download quarantined files is generally available.

This will simplify for SecOps to download quarantined files for further analysis.

So, why do SecOps want to download files?

One reason could be that they want to do forensic analysis on the file to see if taken response actions was enough or extract indicator which they can hunt for.

The feature is enabled in advanced features and is enabled by default

MDATP Settings – Microsoft 365 security

Cloud protection integration

The file download is dependent on the sample submission settings. Make sure it’s turned on!

Requirements 

The file download is available from multiple pages in defender

It’s also visible on the file page, and the reason why we want to have the option to download in multiple pages is to avoid having to switch view and to be able to take the actions where we are in the portal

Update

The possibility to set password for the file download makes it more safe and also avoid file to be detected during download