Latest Posts

System Center User Group – Clients days 2018

SEC-LABS R&D 2018-06-28 0 Comments

System Center User Group Sweden (SCUGSE) Client Days, a 2 day event with many interresting sessions.

Date:
October 8th
October 9th

Location:
Microsoft Office – Stockholm
Finlandsgatan 36
36 Finlandsgatan
164 74 Akalla

On this 10 years celebration of SCUGSE, David James from the Config Manager product team will come to Sweden and present.

Description

Agenda (as per June 28th)

Day 1

0815 – Doors Open
0900 – 0915 – Welcome – Jörgen & Stefan
0915 – 1015 – State of the union – David James
1015 – 1030 – Break / Networking
1030 – 1115 – TBA – David James
1115 – 1130 – Break / Networking
1130 – 1215 – What’s new from Ignite! – Stefan Schörling / TBA
1215 – 1300 – Lunch
1300 – 1330 – Sponsor Session – TBA
1330 – 1345 – Break / Networking
1345 – 1430 – TBA – David James
1430 – 1445 – Break / Networking
1445 – 1530 – TBA – TBA
1530 – 1615 – Q&A DJAM and Speakers

Day 2

0815 – Doors Open
0900 – 1000 – Windows 10 as a Service, the good the bad and the ugly – Stefan Schörling / Jörgen Nilsson
1000 – 1015 – Break / Networking
1015 – 1100 – Managing and Securing Web browsers in Windows 10 – Jörgen Nilsson
1100 – 1115 – Break / Networking
1115 – 1215 – From the Community – TBA
1215 – 1300 – Lunch
1300 – 1330 – Sponsor Session – Lookout
1330 – 1345 – Break / Networking
1345 – 1430 – What’s new in Windows 10 1809 – TBA
1430 – 1445 – Break / Networking
1445 – 1545 – Advanced Windows 10 Deployment Tricks “TS End2End” – Nickolaj A
1545 – 1600 – Closing and Price Drawings

OBS! Genom att anmäla mig binder jag mig till en no-show avgift på 500kr om jag anmäler mig till en fri-biljett och inte kommer på eventet. Jag godkänner även att mina uppgifter kan även komma att delas med sponsorerna.

THE EVENT WILL BE HELD IN SWEDISH FOR THE MAJORITY OF OUR SESSIONS EXCEPT FOR OUR INTERNATINAL SPEAKERS

For tickets and further information, please visit:
https://www.eventbrite.com/e/scugse-klientdagarna-oktober-2018-tickets-47148736139

SCUG SE on Facebook:
https://www.facebook.com/groups/241438124169/

ConfigMgr, Events

ConfigMgr, EVENT, SCUGSE

Working with Roles in Windows Defender ATP

SEC-LABS R&D 2018-06-24 0 Comments

As with everything else we want to apply a least privilege access.

If you need permission to do X you should only have access to do X and not several other things.

That’s why you should define the roles and reponsibilities in your organization to make sure you can apply a least privilege strategy.

Many products supports RBAC and should be used.

Working with Roles in Windows Defender ATP is very simple. You can enable it in Settings menu.

Settings > Roles > Enable Roles

enableRoles

The Global administrator role is added by default and have full permissions which can’t be changed.

Creating Roles

It’s not a bad idea to create a few roles, even if it’s just ju who are the complete security team. One reason is organizational changes and one important reason is that we don’t want people to work as global administrators.

Create Role

In Settings > Permissions > Roles > Add Role

createrole

Assign Azure AD group to the role

aadgroups

One example of roles setup could be:

Viewonly – For managers, able to view data
ATP-Users – Teams working with ATP, run scans, threat remediation etc
ATP-Administrators – ATP Admins, change settings and manage security roles

Depending on your organization you might need more defined roles list.

Here is the permission list and sub items is what will be granted more specific to the role.

View Data
- View Data
Alerts investigation
- Manage alerts
- Initiate automated investigations
- Run scans
- Collect investigation packages
- Manage machine tags
Active remediation actions
- Take responsive actions
- Approve or dismiss pending remediation actions
Manage security settings
- Configure alert suppression settings
- Manage allowed/blocked lists for automation
- Manage folder exclusions for automated (applies globally)
- Onboard and offboard machines
- Manage email notifications

Working with Machine Groups

To be able to separate duties even further and configure different automatic remediation rules for different Machines we have the Machine Groups features.

Machine Groups is a way to group onaboarded Machines based on Name, Domain, Machine Tag and Operating System.

machinegroup

When using the “Show preview” at the bottom of the configuration page, you can see which onboarded machines will added to the Group.

You can select automation level

Semi – Require approval for any remediation
Semi – Require approval for non-temp folders remediation
Semi – Require approval for core folders remediation
Full – Remediate threats automatically

And you can assign a Azure AD userg group with roles to the machine group

mg_usergroup

The Groups, depending on how you defined group membership rules, will be populated automatically.

change_preview

more information about Machine Groups can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection

more information about RBAC in WD ATP can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection

Happy Hunting!

/Sec-Labs R&D

Detect, Protect, Respond

RBAC, Roles, WDATP

Threat Hunting with Windows Defender ATP

SEC-LABS R&D 2018-06-21 2 Comments

A while ago Microsoft released the Threat Hunting capatibilities in WD ATP.

This is a great feature since you’re able to query a lot of things across your devices.

Example scenario:

Let’s say you receive IoC’s for an ongoing attack or investigate threat actors with known files or IP’s you can Query these IoC’s on both on-prem devices and devices which only exists on the internet and never in the office.

That’s one of the benefits of using cloud security services.

As we wrote in the last post it’s now possible to onboard older operating systems like Windows 7 and Windows 8.1. There is also possible to onboard Linux systems and Macs

linux_mac_atp

Threat Hunting

hunting_atp

The hunting capatibilities in WD ATP involves running queries and you’re able to query almost everything which can happen in the Operating System.

If you’re familiar with Sysinternals Sysmon your will recognize the a lot of the data which you can query.

AlertEvents
AlertId, EventTime, MachineId, ComputerName, Severity, Category, Title, ActionType, FileName, SHA1, RemoteUrl, RemoteIP, ReportId

MachineInfo
EventTime, MachineId, ComputerName, ClientVersion, PublicIP, OSArchitecture, OSPlatform, OSBuild, IsAzureADJoined, LoggedOnUsers, MachineGroup, ReportId,

ProcessCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, ProcessId, ProcessCommandLine, ProcessIntegrityLevel, ProcessTokenElevation, ProcessCreationTime, AccountDomain, AccountName, AccountSid, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

NetworkCommunicationEvents
EventTime, MachineId, ComputerName, ActionType, RemoteIP, RemotePort, RemoteUrl, LocalIP, LocalPort, LocalIPType, RemoteIPType, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessParentCreationTime, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId

FileCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessMD5, InitiatingProcessSHA1, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

RegistryEvents
EventTime, MachineId, ComputerName, ActionType, RegistryKey, RegistryValueType, RegistryValueName, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId

LogonEvents
EventTime, MachineId, ComputerName, ActionType, AccountDomain, AccountName, AccountSid, LogonType, ReportId

ImageLoadEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

MiscEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, AccountDomain, AccountName, AccountSid, RemoteUrl, RemoteComputerName, ProcessCreationTime, ProcessTokenElevation, LogonId, RegistryKey, RegistryValueName, RegistryValueData, RemoteIP, RemotePort, LocalIP, LocalPort, FileOriginUrl, FileOriginIP, AdditionalFields, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessMD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessLogonId, ReportId

The query language is very similar to Splunk and adoption to these queries should be straight forward
ProcessCreationEvents | where EventTime > ago(30d) | where FileName in~ ("powershell.exe", "powershell_ise.exe") | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine has "Invoke-Mimikatz" or ProcessCommandLine has "http:" | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine | top 100 by EventTime

Use “Project” to select which columns you want in the output and you can export the result to a spreadsheet.

output

In the above example we ran a query to find malicious powershell commands being executed.

You can also, for example, query all powershell executions from Office applications
ProcessCreationEvents | where EventTime > ago(14d) | where ProcessCommandLine has "powershell" | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpoint.exe")
You can also use the quick search to finns URL’s, File hashes, IPs

quick search

The output will show you hits in organization and prevalance world wide which will give you more indication of a threat.

When we search for a filehash we can also submit the file for deeper analysis.

Microsoft has a Github repositories to help you with example queries

https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries

Sharing Queries

When working in a team it’s a good idea to share your queries to let your colleagues to use your hunting queries.

sharing_queries

The language reference is available here
https://docs.loganalytics.io/docs/Language-Reference/

Happy Hunting!

/Sec-Labs R&D

Detect, Protect, Recover

ThreatHunting, WDATP

Onboarding older Windows Versions to WD ATP

SEC-LABS R&D 2018-06-19 1 Comment

Today Microsoft announced that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.

Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 8.1 Enterprise

Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and of ATP and it’s not possible to upgrade the machines.

The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.

Installing the agent

64-bit agent is available here:
https://go.microsoft.com/fwlink/?LinkId=828603

32-bit agent is available here:
https://go.microsoft.com/fwlink/?LinkId=828604

When you have downloaded the setup file you extract it using “/c” parameter

Install command
setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1

The workspace ID and Key is available in your ATP Portal https://securitycenter.windows.com

The clients will connect to the service using HTTPS and can be a direct connection or through a proxy or OMS gateway.

Agent Resource	Ports
*.oms.opinsights.azure.com	443
*.blob.core.windows.net	443
*.azure-automation.net	443
*.ods.opinsights.azure.com	443
winatp-gw-cus.microsoft.com	443
winatp-gw-eus.microsoft.com	443
winatp-gw-neu.microsoft.com	443
winatp-gw-weu.microsoft.com	443
winatp-gw-uks.microsoft.com	443
winatp-gw-ukw.microsoft.com	443

When your clients are configured you should start seeing them in the ATP console

As you may have noticed there’s a link to Azure ATP alerts where you can dig further on advanced attacks in your environment.

On the following link you can find more information about onboarding older Windows Versions to Defender ATP
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection

Happy Hunting

/SEC-LABS R&D

Detect, Protect, Respond

AdvancedThreatProtection, ATP, Defender, WDATP, Windows7, Windows8.1

Controlling Auto Forward Rules of Emails to avoid data leakage

SEC-LABS R&D 2018-06-18 0 Comments

Email Forwarding is a challenge when it comes to modern attacks, and it was recently used as one of the tools in a crimecase in Sweden. Basically the attackers forwarded all emails from the victims to themselves to be able to track the victims very easily and to gain insights and data for social engineering attacks. Multifactor auth via e-mail or password reset links where obtained and could easly be used to manipulate and gain access.

Email forwarding can be created in Outlook or the the web application (OWA) by the users or an attacker with access to a user account.

The solution for this is very easy.
You can block email forwarding and redirects in general and allow it where it’s necessary (if you do have that scenario).

Block autoforward domain wide for Office 365 using PowerShell:
Set-RemoteDomain Default -AutoForwardEnabled $false
It is possible to configure this on a per domain basis.
For instance, if you need to allow forward to specific domain.

To view all forwarding rules today both on-prem and cloud you can use the following script.
The only difference is the connection part.

View the Rules
Function Get-AutoForwardRules { foreach ($a in (Get-Mailbox -ResultSize Unlimited |select PrimarySMTPAddress)) { Get-InboxRule -Mailbox $a.PrimarySMTPAddress | ?{($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.DeleteMessage -eq $true) -or ($_.RedirectTo -ne $null)} | select Name,Identity,ForwardTo,ForwardAsAttachmentTo, RedirectTo, DeleteMessage } }

#Example

Get-AutoForwardRules

To get the PowerShell module for office 365 which supports MFA.

Download the PowerShell Module (available in the 365 admin portal)

Connect using: Connect-EXOPSSession -UserPrincipalName user@example.com

Security Features in Office 365

Depending on your Office 365 Subscription you might get a warning email when someone tries to define a forwarding rule

This is an example for Exchange Online
$Mailboxes = Get-Mailbox -ResultSize "Unlimited" $Count = 1 ForEach ($Mailbox in $Mailboxes) { Write-Progress -Activity "Checking inboxrules..." -Status "User $($Mailbox.PrimarySmtpAddress) ($count/$($Mailboxes.count))" -PercentComplete ($Count / $Mailboxes.count*100) $MailboxWithRule = Get-InboxRule -Mailbox $Mailbox.Alias | Where-Object {($_.RedirectTo -ne $null) -and ($_.ForwardTo -ne $null) -and ($_.ForwardAsAttachmentTo -ne $null)} if ($MailboxWithRule -ne $Null) { Write-Host "Mailbox $($Mailbox.PrimarySmtpAddress) has these rulez:" $MailboxWithRule | fl Name, Identity, RedirectTo, ForwardTo, ForwardAsAttachmentTo } $count++ }

Detect, Protect

ATP, AutoForward, Breach, DataLossPrevention

Updates to Attack Surface Reduction Rules in Windows 10 1803

SEC-LABS R&D 2018-05-16 0 Comments

5 new rules are being introduced with Windows 10 1803

Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB

Complete Rules list with GUIDs

Rule name	GUID
Block executable content from email client and webmail	BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes	D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content	3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes	75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content	D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts	5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro	92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criteria	01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware	c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe)	9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands	d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB	b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Details about the rules can be found here:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

Protect

ASR, GPO, Windows10

SSH native in Windows 10 1803

SEC-LABS R&D 2018-05-16 0 Comments

If you manage a mixed platform your might be switching between, RDP sessions, Remote PowerShell and other remote Tools.

Except for old legacy applications which may not be possible to manage without a GUI, it’s easier, possible to automate and will save you a lot of time using a command line interface.

To extend this support, there is now a native SSH client in Windows.

You may want to check your firewall rules to Control who and where admins can connect and what you need to block

Uncategorized

1803, SSH, Windows10

Use powershell to download sysinternals tools

SEC-LABS R&D 2018-05-15 0 Comments

Today, I was starting to get some order of my troubleshooting tools and thought it was a good idea to re-download all sysinternals tools.

It could be, in the future, that I might want to download the latest tools again. Here is a function which will download the files to prefered destination folder.

https://github.com/stefanschorling/SEC-LABS/blob/master/Download-SysInternalsTools.ps1

Identify

Powershell, Sysinternals

Get-WPAKeys using PowerShell and netsh

SEC-LABS R&D 2018-05-15 0 Comments

It could be a situation when you want to extract the clear text password from the wireless Connections without elevation or GUI.

I wrote this script a while ago and it’s kind of usable sometimes.

The script is located here:
https://github.com/stefanschorling/SEC-LABS/blob/master/Get-WPAKeys.ps1

Uncategorized

NETSH, Powershell, WPA2

Windows Event Forward and Custom Logs

SEC-LABS R&D 2018-05-15 0 Comments

First of all, this post is more about configuring custom event channels than configure WEF.

There is more than one way to work with event logs and the most important is to start working with event logs.

Some of the benefits is one place to find the logs for multiple systems and if someone clears, for example, the security log it’s important that you can find the log events before that happened and have alerts triggered on the clearing event.

Using the WEC (Windows Event collector) service is a free option and one of the most frequent used way to gather logs from Windows Clients.

So where do these events end up?

Windows Event Forward uses WinRM to forward the logs from the source to the server which runs the Windows Event Collector Service.

There are 2 different options where one option is to let the WEC server to connect to the client and poll the events and the other options is to let the client to push the events to the WEC server.

This is configured in the subscription part in Event Viewer

Besides the Subscription types you also must configure the Destination log (Default Forwarded Events) and select which events will be forwarded.

There are a few git projects for events in xml(xpath) format which you can use to automatically update the events.

There are more than security people which wants to be able to forward events.

IT operations and endpoint management teams would benefit from WEF by being able to collect errors and other events that might help with troubleshooting.

If you are about to publish new applocker rules you could set them in Audit mode and collect and analyze information where the rules would impact on a user.

Since we have multiple user cases for WEF you may want to separate the logs into different logs.

Security people maybe don’t want the support-.log to fill their selections of security related events.

You may want to forward the security logs into a SIEM solution like Splunk or QRADAR and don’t want to waist SIEM data license with non-security events.

To achieve this, we create a custom log.

Using Ecmangen.exe (provided in one of the Windows 10 SDKs, beware of that this tool is removed from the latest releases)

Save the output to c:\temp\WEF and run the following commands

“C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe” C:\temp\wef\WEFEvents.man

“C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe” -css WEFEvents.DummyEvent C:\temp\wef\WEFEvents.man

“C:\Program Files (x86)\Windows Kits\10\bin\x64\rc.exe” C:\temp\wef\WEFEvents.rc

“C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe” /win32res:C:\temp\wef\WEFEvents.res /unsafe /target:library /out:C:\temp\wef\WEFEvents.dll C:\temp\wef\WEFEvents.cs

Copy the WEFEvents.dll and WEFEvents.man to c:\windows\system32 and register with:

wevtutil im c:\Windows\system32\WEFEvents.man

You will now be able to use these logs for WEF.

You can have, for example, one for servers one for clients. One with a SPLUNK forwarder and one inserted to a database with a nice custom interface which suites your need depending of what you have.

Detect

Event Forward, SIEM, WEC, WEF