Security

Yes you read that right, its now possible to block unsanctioned apps in Microsoft Cloud App Security directly at your Windows 10 Endpoints. Moving towards a Zero-Trust network away from the corporate firewalls and proxies you still want to maintain network control from the endpoint side, this new feature will give you the possibility to block applications, this is a great step forward in the area and its clear that Microsoft is taking Zero-Trust and Security seriously.

So how to get started first of requirements! Last year we wrote about the Network Block Feature and it could be a good start before reading this article it can be found here. https://blog.sec-labs.com/2019/07/using-wdatp-network-block/

Requirements

MDATP and MCAS Integration Enabled
- MDATP Portal > Settings > Advanced Features

Windows 10 with Network Block Enabled
MCAS Cloud App Control Enabled
- MCAS Portal > Settings > Cloud App Control
  - (Its important to note if you have marked apps as unsanctioned in the MCAS Portal already they will automatically be marked as blocked so before turning this on review your unsanctioned apps.)

Configuring Unsanctioned Apps

Once you have your requirements in-place we can start to configure unsanctioned apps, You can either select to maintain this manually or configure a policy to set all apps matching a certain criteria to be blocked. An example could be block all apps with a Risk Score Lower than 3.

Manually

If you go to your Cloud App Dashboard and find the App you want to block just click on the App and select unsanctioned.

Automatically

To have apps marked as unsanctioned automatically can be done with a Policy. Below we have an example of blocking apps that meet the criteria Risk Score 1-3.

Its also possible to add other types of criteria if you want to refine your policy. It all depends what you want to limit and the purpose, is it to control Shadow IT or is it from a Security perspective. Some examples below of other criteria that could be useful depending on the use case.

App Category Productivity
Daily Traffic Below 5 MB
Number of Users Below 5

PRO TIP: When building your Policy its very good that you can play with the Preview Results, that gives you instant feedback on how well your query will perform so try that out.

Back-end Integration

When the unsanctioned app is marked as unsanctioned the back end integration between MCAS and MDATP exchanges data and Custom Indicators are being populated. You can find these under Settings > Indicators > URLs/Domains

Like in this example we did block WhatsApp and that would replicate over to the Indicators in MDATP. The whole flow depending on sync should not take longer than 3 hours. From that you have blocked in MCAS to that the Endpoint has the blocking instruction.

Once its available in MDATP the Endpoints should update their Indicators and should start blocking.

End User Experience

At the moment the end user experience is fairly limited the user would get a Toast Notification that something has been blocked unless you have turned notifications off.

Depending on the App you are trying to communicate with the blocked app/url the behavior would occur differently.

For WhatsApp it would look like this when Launching it (sorry message in Swedish)

And a Default Notification Message like this below

Reporting

At the moment the tracking and reporting is also limited to whats available in MCAS and MDATP and its supported retention times.

Future Asks

Things I want to see and I have fed back to the Product groups I want this to evolve to going forward.

Support for X-Platform Devices
Block without Alerting like Block and Report
Having the possibility to do Exclusions and Custom Targeting of Devices/Users
Expand this to URL Categories Block / Monitor
Better Historical Reporting
Customize Messages
End User Coaching
End User Exclusion Request

If you have other ideas feel free to tweet me at @stefanschorling and I will relay.

Detect, Protect, Security

Defender ATP EDR for MAC preview

Security Labs 2019-11-07 0 Comments

During Microsoft Ignite, Microsoft announced Defender ATP EDR capabilities for Mac is available in preview.

It’s great to see Microsoft extends the EDR capabilities to cross-platform

Rich investigation experience – including machine timeline, process creation, file creation, network connections and, of course, the popular Advanced Hunting.
Optimized performance – enhanced CPU utilization in compilation procedures and large software deployments.
In-context AV detections – just like with Windows, get insight into where a threat came from and how the malicious process or activity was created.

More information available at
https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-for-Mac-EDR-in-Public-Preview/ba-p/985879

Happy Hunting!

Detect, News, Security

Defender ATP, EDR, Mac, OSX

Azure Sentinel is now GA

Security Labs 2019-09-25 0 Comments

Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available

Some of the new features are:

Workbooks are replacing dashboards, providing for richer analytics and visualizations
New Microsoft and 3rd party connectors

Detection and hunting:

Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
Easy elevation of MTP alerts to Sentinel incidents.
Built-in detection rules utilizing the threat intelligence connector.
New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
Template playbooks now available on Github.
New threat hunting queries and libraries for Jupyter Notebooks

Incidents:

The interactive investigation graph is now publicly available.
Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.

MSSP and enterprise support:

Azure Lighthouse for multi-tenant management
RBAC support

For further information:

Pricing: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
Product page: https://azure.microsoft.com/en-us/services/azure-sentinel/
Documentation: https://docs.microsoft.com/en-us/azure/sentinel/

Happy Hunting

Detect, Events, Respond, Security

Azure, Cloud, Sentinel, SIEM, ThreatHunting

Using WDATP Network Block

Security Labs 2019-07-23 1 Comment

When working with Incident Response you from time to time find artifacts that you need to block, IP Addresses or specific URLs. Instead of doing this on the proxies or firewalls its often more efficient to do this on the endpoint level to catch roaming machines where ever they are. In some cases you also work with other TI vendors and get IPs and URLs you want to block and build automation around. This feature is currently in preview

So, with WDATP you can now block or allow IPs and Urls.

For this feature to work you need to have some prerequisites

Windows 10 1709 Pro, E3/E5 or Edu
Windows Defender Network Protection
Windows Defender AV
Cloud Delivered Protection Enabled

It’s possible to enable Network Protection in several ways

PowerShell
Group Policy
System Center Configuration Manager
Intune / MDM

For detailed steps for each method

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection

In our case we will just leverage PowerShell. To set and verify its configured

Set-MpPreference -EnableNetworkProtection Enabled
Get-MpPreference | fl

Once you have prepared the endpoint you can go to the MDATP Portal and add your IPs/URLs

Navigate to Settings > Rules > Indicators.
Select the IP Address tab to view the list of IP’s.
Select the URLs/Domains to view the list of URLs/domains.

In this tutorial we will Add a URL but the same procedure would apply for an IP.

1. Click on Add Indicator

2. Enter a url and select if you want the block to expire

3. Add an Action as you like and descriptive texts as you want to have with your alerts. In this case we want to block and get an alert for this.

4. Select Scope, in this case we will select all machines but if you have built a structure with Machine Groups you can select to target specific machine groups where this will apply.

5. On the Summary screen click Save.

Note: from entering an IP/URL it can take some time for it to propagate to the endpoints and when it comes to removal it may even take a bit longer.

So when this has propagated to the endpoints we can test it out and see how this looks on the endpoint.

When browsing to the URL the end user will be notified about that something is blocked with a toast notification and an event log entry will also be logged.

If you want to customize the toast notifications for Windows Defender you can do that with updated group policy templates more information on that here. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications

To create a custom view in event viewer use this url reference.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard

In our case an alert will also be triggered in in the MDATP console as well where we can continue our investigation. I hope this gave a little valuable insight on this feature.

Detect, Protect, Security

MDATP Investigation behind forward proxy

Security Labs 2019-07-23 0 Comments

There are still many companies using forward proxies and when analyzing traffic from endpoints this can be a bit challenging. This due to that the client connects to the forward proxy instead of the public endpoint like http://blog.sec-labs.com.

So instead of the public endpoint you would see that the process is connecting to the proxy.

Microsoft have engineers around this and by enabling the Network Protection feature in either Audit Mode or Block mode you can now see the public endpoint the process is actually communicating with behind the forward proxy.

Events that is coming from this type of detection is flagged with the a “NetworkProtection” tag.

If you want to use thees events generated when you do Hunting they are found under Network CommunicationEvents and if you know your proxy ip address you can get everything that has gone via the proxy with the following query.

NetworkCommunicationEvents
| where ActionType == “ConnectionSuccess” and RemoteIP != “ProxyIP”

If you want to enable Network Protection the below link will guide you through the different ways you can enable it. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection

Happy Hunting

Detect, Protect, Security

Hunt for nuget/Squirrel update vulnerability

Security Labs 2019-07-01 0 Comments

A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.

https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12

In the post, Teams is mentioned as example but other affected application were mentioned on twitter.

So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!

To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.

Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.

To make it more easy to overview we’re adding the URL to a column

To continue this we can count unique URL’s to find anomalies

Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1), 
                       ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1), 
                       "Default")
| where exeURL != "Default"
| sort by EventTime desc 
|project EventTime, 
          ComputerName,
          exeURL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.

Happy Hunting!

Detect, Respond, Security, Uncategorized

AdvancedThreatProtection, Defender ATP, Kusto, Nuget, Teams, ThreatHunting, Vulnerability

Defender ATP and PowerBI

Security Labs 2019-04-10 0 Comments

Maybe, you don’t want management in the ATP portal, even though it’s configurable via roles, and maybe they don’t want to be there.

One thing I know is that most managers loves numbers, so why not provide them with a PowerBI report.

You can perfectly use cloud based option and there is an app for Windows Defender ATP already there for you to use.

Configure your connector and you’re all good to go

The dasboard looks like the following picture

With the many different tiles you, or your manager, can dig deeper in to events like in this following example with alert status

It’s also possible to filter data based on who a case was assigned to, who resolved the case etc.

If you have a PowerBI Pro account, you could subscribe to get scheduled reports.

You can also to quick filter

This is an easy win for your manager

Recover, Respond, Security, Uncategorized

Dashboard, Defender ATP, PowerBI

CTF, Capture The Flag

Security Labs 2019-03-21 0 Comments

CTF, Capture the Flag is a known form of a game mode for various games like Paintball, laser games and Computer games, but it’s also used in Computer Security.

Capture the Flag is a really good way of enhancing your Security skills, it starts with a few clues and quests you must solve to retrieve the flag for the challenge. These are named as Jeopardy-style CTF. They are often devided into different types of challenges i.e.:

Cryptography
Web
Forensics
Binary Exploitation
Reversing
Networking

There are also modes for CTF called Attack-Defense, where the teams have to defend their own network or machine and att the same time attack the opponents. There is also a version like one team is defending and the other one is attacking, a Blue Team – Red Team approach. Blue Team defends and tries to find out how and when the Red Team makes their way to get the Flag.

Who is CTF for?

It’s for everyone with a interest in cyber security.

Qualify for bigger events

Some CTF’s are qualifiers for bigger CTF events, so get going and solve the challenges!

Example challenge from (https://capturetheflag.withgoogle.com):

This CTF has beginner challenges (which I can recommend if you’re new to this).

Amongst the beginner challenges we have the following one.

This challenge want us to find the flag which will look like “CTF{xxxxxx}” by using the clues in the text and the file which we are able to download.

We download the file (Attachment) and extract the content

The clue from the challenge indicates it’s something fishy with this .ico file.

Tha the initial view, it looks alright.

Let’s use binwalk which is a tool for searching binary images for embedded files and executable code to see if there is something hidden inside.

It looks like we’re getting somewhere, it seems to be a zip archive.

Let’s try to list the content with 7zip

Works! Next step would be to unpack the content in our hunt for the flag

We have extracted our files

And we now have the flag!

We enter it on the website and the challenge is completed and can start the next challenge…

Where to start?

So, for those of you who are new or want to get some good links into CTF, I have tried to gather all CTF Links in this post for reference, I will try to keep the links updated along the way.

CTF Time – https://ctftime.org/
Hack The Box – https://www.hackthebox.eu/
CTF 365 – https://ctf365.com/
CTF Field Guide – https://trailofbits.github.io/ctf/
CBT Nuggets Preparation Tips –
https://www.cbtnuggets.com/blog/2018/07/how-to-prepare-for-a-capture-the-flag-hacking-competition

Security

Challenges, CTF, Security

Creating custom Azure Sentinel Hunting Queries

Security Labs 2019-03-19 0 Comments

Creating a hunting query by clicking on Hunting and New Query

Add a name, Description and the custom query.

You can test the query to see that you get the result you’re looking for

Use the mapping to map columns to entities recognized by Azure Sentinel

Select tactics for the query

The tactics can be used to filter queries

Happy Hunting!

Detect, Security

Azure, Custom Queries, Hunting, Sentinel, SIEM

Welcoming a more diverse workforce into cybersecurity: expanding the pipeline 2020-03-31
If you don’t have enough diversity on your cybersecurity team, it may be because you aren’t looking in the right places. The post Welcoming a more diverse workforce into cybersecurity: expanding the pipeline appeared first on Microsoft Security.
Making it easier for your remote workforce to securely access all the apps they need, from anywhere 2020-03-31
Ensure your remote workforce has secure access to all the apps they need: SaaS, cloud-hosted, on-premises, and legacy. The post Making it easier for your remote workforce to securely access all the apps they need, from anywhere appeared first on Microsoft Security.
Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios 2020-03-26
Increased remote work has many organizations rethinking network and security strategies. In this post we share guidance on how to manage security in this changing environment. The post Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios appeared first on Microsoft Security.
Welcoming and retaining diversity in cybersecurity 2020-03-24
Do you have the right practices in place to retain and grow the cybersecurity women who already work at your company? The post Welcoming and retaining diversity in cybersecurity appeared first on Microsoft Security.
Defending the power grid against supply chain attacks—Part 2: Securing hardware and software 2020-03-23
The hardware and software companies who supply utilities must implement better security of their build and update environment to reduce the risk of an attack on critical infrastructure. The post Defending the power grid against supply chain attacks—Part 2: Securing hardware and software appeared first on Microsoft Security.
Latest Astaroth living-off-the-land attacks are even more invisible but not less observable 2020-03-23
Astaroth is back sporting significant changes. The updated attack chain maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion. The post Latest Astaroth living-off-the-land attacks are even more invisible but not less observable appeared first on Microsoft Security.
Protecting against coronavirus themed phishing attacks 2020-03-20
Customers are asking us what Microsoft is doing to help protect them from phishing and cyberattacks, and what they can do to better protect themselves. We thought now would be a good time to share some best practices and useful information. The post Protecting against coronavirus themed phishing attacks appeared first on Microsoft Security.
Welcoming more women into cybersecurity: the power of mentorships 2020-03-19
I’ve long been a proponent to challenging traditional schools of thought—traditional cyber-norms—and encouraging our industry to get outside its comfort zones. The post Welcoming more women into cybersecurity: the power of mentorships appeared first on Microsoft Security.
Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave 2020-03-18
I’m proud to announce that Microsoft is positioned as a Leader in The Forrester Wave™: Enterprise Detection and Response, Q1 2020. The post Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave appeared first on Microsoft Security.
Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks 2020-03-17
Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with Microsoft Defender ATP, Secured-core PCs provide end-to-end protection against advanced attacks that leverage driver vulnerabilities to gain kernel privileges. The post Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks appeared first on Microsoft Security.