During Microsoft Ignite, Microsoft announced Defender ATP EDR capabilities for Mac is available in preview.
It’s great to see Microsoft extends the EDR capabilities to cross-platform
Rich investigation experience – including machine timeline, process creation, file creation, network connections and, of course, the popular Advanced Hunting.
Optimized performance – enhanced CPU utilization in compilation procedures and large software deployments.
In-context AV detections – just like with Windows, get insight into where a threat came from and how the malicious process or activity was created.
Extending Defender ATP to be able to natively support Windows, Mac and Linux is great news and will simplify advanced threat management across the environment.
This far in the Microsoft Ignite Conference, Microsoft have made new announcements.
This list is a mix of some of the announcements made:
Azure Sentinel New connectors, Zscaler, Barracuda, and Citrix. They have also added new hunting queries and machine learning-based detections to assist in prioritizing the most important events.
Insider Risk Management in Microsoft 365 – to help identify and remediate threats stemming from within an organization. Now in private preview, this new solution leverages the Microsoft Graph along with third-party signals, like HR systems, to identify hidden patterns that traditional methods would likely miss. https://www.microsoft.com/en-us/microsoft-365/blog/?p=233542
Microsoft Authenticator Microsoft makes Microsoft Authenticator available to customers as part of the Azure Active Directory (Azure AD) free plan. Deploying Multi-Factor Authentication (MFA) reduces the risk of phishing and other identity-based attacks by 99.9 percent.
Microsoft Defender Advanced Threat Protection (ATP)—Microsoft extends endpoint detection and response capability in Microsoft Defender ATP to include MacOS, now in preview. Microsoft also plans to add support for Linux servers.
Azure Security Center—Microsoft announces new capabilities to find misconfigurations and threats for containers and SQL in IaaS while providing rich vulnerability assessment for virtual machines. Azure Security Center also provides integration with security alerts from partners and quick fixes for fast remediation.
Microsoft information protection and governance—The compliance center in Microsoft 365 now provides the ability to view data classifications categorized by sensitive information types or associated with industry regulations. Machine learning also allows you to use your existing data to train classifiers that are unique to your organization, such as customer records, HR data, and contracts.
Microsoft information protection and governance—The compliance center in Microsoft 365 now provides the ability to view data classifications categorized by sensitive information types or associated with industry regulations. Machine learning also allows you to use your existing data to train classifiers that are unique to your organization, such as customer records, HR data, and contracts.
Microsoft Compliance Score—Now in public preview, Microsoft Compliance Score helps simplify regulatory complexity and reduce risk. It maps your Microsoft 365 configuration settings to common regulations and standards, providing continuous monitoring and recommended actions to improve your compliance posture. Microsoft also introduces a new assessment for the California Consumer Privacy Act (CCPA).
I was told about a twitter post which explained it’s possible to block Security events from being created.
If you add CurrentControlSetControlMiniNt key, the Windows will think it is WinPE and will not log any event to the Security Log 😱#hacked#windowsinternals#redteam
Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available
Some of the new features are:
Workbooks are replacing dashboards, providing for richer analytics and visualizations
New Microsoft and 3rd party connectors
Detection and hunting:
Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
Easy elevation of MTP alerts to Sentinel incidents.
Built-in detection rules utilizing the threat intelligence connector.
New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
Template playbooks now available on Github.
New threat hunting queries and libraries for Jupyter Notebooks
Incidents:
The interactive investigation graph is now publicly available.
Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.
The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP). Microsoft is named a leader!
With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.
Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.
Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.
The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP, Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.
Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.
Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.
In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.
Gartner
The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.
Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.
The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.
Automated investigations
Build your playbooks
Take back the control with live response
We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate
When working with Incident Response you from time to time find artifacts that you need to block, IP Addresses or specific URLs. Instead of doing this on the proxies or firewalls its often more efficient to do this on the endpoint level to catch roaming machines where ever they are. In some cases you also work with other TI vendors and get IPs and URLs you want to block and build automation around. This feature is currently in preview
So, with
WDATP you can now block or allow IPs and Urls.
For this
feature to work you need to have some prerequisites
Windows
10 1709 Pro, E3/E5 or Edu
Windows
Defender Network Protection
Windows
Defender AV
Cloud
Delivered Protection Enabled
It’s
possible to enable Network Protection in several ways
In our case we will just leverage PowerShell. To set and verify its configured
Set-MpPreference -EnableNetworkProtection Enabled
Get-MpPreference | fl
Once you
have prepared the endpoint you can go to the MDATP Portal and add your IPs/URLs
Navigate to Settings > Rules >
Indicators.
Select
the IP Address tab to view the list of IP’s.
Select the URLs/Domains to view the list of
URLs/domains.
In this tutorial we will Add a URL but the same procedure would apply for an IP.
1. Click on
Add Indicator
2. Enter a url and select if you want the block to expire
3. Add an Action as you like and descriptive texts as you want to have with your alerts. In this case we want to block and get an alert for this.
4. Select Scope, in this case we will select all machines but if you have built a structure with Machine Groups you can select to target specific machine groups where this will apply.
5. On the Summary screen click Save.
Note: from entering an IP/URL it can take some time for it to propagate to the endpoints and when it comes to removal it may even take a bit longer.
So when this has propagated to the endpoints we can test it out and see how this looks on the endpoint.
When browsing to the URL the end user will be notified about that something is blocked with a toast notification and an event log entry will also be logged.
In our case an alert will also be triggered in in the MDATP console as well where we can continue our investigation. I hope this gave a little valuable insight on this feature.
There are still many companies using forward proxies and when analyzing traffic from endpoints this can be a bit challenging. This due to that the client connects to the forward proxy instead of the public endpoint like http://blog.sec-labs.com.
So instead of the public endpoint you would see that the process is connecting to the proxy.
Microsoft have engineers around this and by enabling the Network Protection feature in either Audit Mode or Block mode you can now see the public endpoint the process is actually communicating with behind the forward proxy.
Events that is coming from this type of detection is flagged with the a “NetworkProtection” tag.
If you want to use thees events generated when you do Hunting they are found under Network CommunicationEvents and if you know your proxy ip address you can get everything that has gone via the proxy with the following query.
NetworkCommunicationEvents
| where ActionType == “ConnectionSuccess” and RemoteIP != “ProxyIP”
Microsoft Defender ATP is a great tool for
enhancing your Detection capabilities and once you find incidents you can work
with the Hunting capabilities we have blogged about earlier. The challenge we
often face is that the Hunting Data is only available for 30 days so if you
need to go back further that data is not available.
Microsoft is now introducing two new built-in methods of storing that data for longer than 30 days, currently in preview
Azure
Storage Account
Azure
Event Hub
And from
these you can then access the data and do what you like with it.
In this blog we will walk you through how you can set these up the Storage Account integration.
Storage Account Integration
Azure Portal
So first off let’s start with setting up a Storage Account in the Azure Portal
1. Create a storage account
2. Select your Subscription and Resource Group if you have one or create it.
3. Give your storage account a name and select your desired storage settings.
4. Configure Advanced settings as you need. In my case I used the defaults.
5. Add Tags if you are using it and review the settings and complete the creation, Let the creation complete and go to the newly created storage account.
6. To configure the integration we need to get our resource ID so open properties of the Storage Account and copy the resource ID information.
Resource Provider and onboarding consent
We also need to make sure we have microsoft.insights registered as a resource provider you can configure that this way.
1. In the Azure Portal, go to – Subscriptions > Your subscription > Resource Provider
2. On the microsoft.insights recourse provider click register if its not already registered.
Now we can move to the security center portal and continue configuring the integration.
MDATP Portal
In the MDATP Console go to
1. Interoperability > Data Export Settings
2. Click on Add data export settings
The wizard to export data will show up and here we have a few options.
1. Give it a Name
2. We need to have the Storage Account Resource ID from our Storage account which we stood up in the earlier steps. It can be found under properties on the storage account in the Azure Portal.
3. Check the Event Types you want to Store in your Storage Account
4. Click Save
Once you have saved Events will start being sent to your Storage Account and if you browse the blob in the Azure Portal you will see the different events categories.
If you click through one of them you will see that they are stored in an order of “tenantid\year\month\date\hour\minute\”
The schema of the JSON files is build in the following structure
{
{
“time”: ” <The time WDATP received the event> “
“tenantId”: ” <Your tenant ID> “
“category”: ” <The Advanced Hunting table name with ‘AdvancedHunting-‘ prefix> “
“properties”: { <WDATP Advanced Hunting event as Json> }
When working with Advanced Hunting in Defender ATP, you tend to always want to update your queries as you learn. You will probably also notice that sometimes your query wasn’t broad enough or all information was not available at the time. And sometimes you just want to make it look better for others to use in a shared environment.
We have updated the Squirrel hunting query to adjust to more parameters which can be used. we simple remove the check for a parameter and focus on the http part instead.
There are also some legit domains which are used by some of the applications, slack and discord to mention some of them.
ProcessCreationEvents
| where (ProcessCommandLine has "update.exe") or (ProcessCommandLine has "squirrel.exe")
| where (ProcessCommandLine contains "http")
| extend URL=extract(@"((http:|https:)+[^\s]+[\w])", 1, ProcessCommandLine)
| where URL !in ("https://slack.com/desktop/update/windows_x64", "https://discordapp.com/api/updates/stable")
| sort by EventTime desc
| project EventTime,
ComputerName,
URL,
FolderPath,
ProcessCommandLine,
AccountName,
InitiatingProcessCommandLine,
ReportId,
ProcessId,
InitiatingProcessId
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
