Latest Posts

March updates to Windows 10 for Cloud App Discovery integration in MDATP

Who doesn’t want to get in control of their Cloud App Usage, and get a nice cloud usage dashboard like this?

With the latest March 2019 Updates to Windows 10, 1709 and 1803 Microsoft has back ported the Cloud App Discovery Capabilities from 1809 so now you will get Discovery Data from Windows 10 devices ranging from 1709 and above, all you need to do is to enable the integration and your machines that are on boarded to MDATP will start reporting in.

Microsoft has also included some back porting regarding Automatic Investigation, Remediation, Memory Forensic.

Happy Hunting

Hunting Windows Defender Exploit Guard with ATP

Alright, since I happen to be in a blog mode I keep the posts coming.

This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.

So what’s this Exploit Guard?

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.

Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements

Attack Surface Reduction (ASR)A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder AccessProtects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit ProtectionA set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Example of ASR rules

• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code

Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.

If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.

This following dashboard is a part from the Monitor and Report section in the portal

Back to Defender ATP and the hunting which this post was supposed to be all about.

We have published some posts now about hunting custom alerts.

In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.

We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.

Examples from the output:


Interesting note “SmartScreenUserOverride” is a separate event which you can query

When we had the raw Actiontypes we created the query to cover as much as we could.

//Happy Hunting
| where ActionType contains "asr" or
        ActionType contains "Exploit" or
        ActionType contains "SmartScreen" or
        ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc 
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,  
         FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,

We are also parsing AdditionalFields to be able to add extra value to events which contained such data.

From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment

Happy Hunting!

Defender ATP and PowerBI

Maybe, you don’t want management in the ATP portal, even though it’s configurable via roles, and maybe they don’t want to be there.

One thing I know is that most managers loves numbers, so why not provide them with a PowerBI report.

You can perfectly use cloud based option and there is an app for Windows Defender ATP already there for you to use.

Configure your connector and you’re all good to go

The dasboard looks like the following picture

With the many different tiles you, or your manager, can dig deeper in to events like in this following example with alert status

It’s also possible to filter data based on who a case was assigned to, who resolved the case etc.

If you have a PowerBI Pro account, you could subscribe to get scheduled reports.

You can also to quick filter

This is an easy win for your manager

Automate response with Defender ATP and Microsoft Flow

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

  • Start by browsing to and create a new flow
  • Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.

We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content


Pro tips:

  • Use get alert to be able to add more dynamic content to use in subsequent steps
  • Use get machine to be able to get more information like IP, Computername etc
  • Start building your automated playbooks. This will save you time

CTF, Capture The Flag

CTF, Capture the Flag is a known form of a game mode for various games like Paintball, laser games and Computer games, but it’s also used in Computer Security.

Capture the Flag is a really good way of enhancing your Security skills, it starts with a few clues and quests you must solve to retrieve the flag for the challenge. These are named as Jeopardy-style CTF. They are often devided into different types of challenges i.e.:

  • Cryptography
  • Web
  • Forensics
  • Binary Exploitation
  • Reversing
  • Networking

There are also modes for CTF called Attack-Defense, where the teams have to defend their own network or machine and att the same time attack the opponents. There is also a version like one team is defending and the other one is attacking, a Blue Team – Red Team approach.  Blue Team defends and tries to find out how and when the Red Team makes their way to get the Flag.


Who is CTF for?

It’s for everyone with a interest in cyber security.

Qualify for bigger events

Some CTF’s are qualifiers for bigger CTF events, so get going and solve the challenges!

Example challenge from (

This CTF has beginner challenges (which I can recommend if you’re new to this).

Amongst the beginner challenges we have the following one.

CTF challenge

This challenge want us to find the flag which will look like “CTF{xxxxxx}” by using the clues in the text and the file which we are able to download.

We download the file (Attachment) and extract the content

The clue from the challenge indicates it’s something fishy with this .ico file.

Tha the initial view, it looks alright.

Let’s use binwalk which is a tool for searching binary images for embedded files and executable code to see if there is something hidden inside.

It looks like we’re getting somewhere, it seems to be a zip archive.

Let’s try to list the content with 7zip

Works! Next step would be to unpack the content in our hunt for the flag

We have extracted our files

And we now have the flag!

We enter it on the website and the challenge is completed and can start the next challenge…

Where to start?

So, for those of you who are new or want to get some good links into CTF,  I have tried to gather all CTF Links in this post for reference, I will try to keep the links updated along the way.

Audit Scheduled tasks using Azure Sentinel

Azure Sentinel is a powerful cloud based SIEM solution.
This blog series will be on how to work with Sentinel.

It will be example based on different solutions which we might run into.

This first post is about how you can work with logs and get insight in Scheduled Tasks as a way for attackers to persist in your network

For further information regards Sentinel, visit

Scheduled Tasks

By default there are no events created if someone creates or modifieds a scheduled task. To enable logging you have to enable logging of object access.

To view current settings, use the following command:

auditpol.exe /get /category:*

Only Success is required for this. This enables us to get the event 4698

To enable logging, create a new GPO and assign the following settings (depending if you want success/failure or only success)

You also have to configure your agents to send log to your workspace, you can download the agent from the Azure Sentinel workspace / <workspace name> / Advanced Settings

Otherwise, you can add the Sentinel workspace to your existing agents

$Agent = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
$ID= "<WorkspaceID>"
$Key = "<key>"
restart-service HealthService

In Azure Sentinel – Data connectors, configure Security Events

Azure Sentinel Connectors

Verify heartbeats from computers

Heartbeat | summarize argmax(TimeGenerated, *) by Computer

So now we have logs from 2 computers and now we want to query Scheduled Tasks

A simple way is to just query the EventID


We can use project to format our table but we still want to get information about the tasks that were created to get a better overview

According to documentation we can use Parse operator into one or more calculated columns

| where EventID == "4698"
| parse EventData with * '"SubjectUserName">' SubjectUserName '<' * '"SubjectDomainName">' SubjectDomainName '<' *

This query will

  • Select all events where eventid=4698
  • parse the column event data and look for ‘”SubjectUserName”>’
  • Put everyting to a column named SubjectUserName until character ‘<‘
  • the wildcard will run the samething again
  • Continue parsing until ‘”SubjectDomainName”>’
  • Put everything into column SubjectDomainName until character ‘<‘

To continue this to get some really useful information we continue to parse the content until we get everything we need

//Sec-Labs Demo - Sentinel Hunting for Scheduled Tasks Persistance
let start=datetime("2019-03-12T19:39:47.762Z");
let end=datetime("2019-03-19T22:39:47.762Z");
|where TimeGenerated > start and TimeGenerated < end
| where EventID == "4698"
| parse EventData with * '"SubjectUserName">' SubjectUserName '<' * '"SubjectDomainName">' SubjectDomainName '<' * '"TaskName">\\' TaskName '<' * 'Author>' Author '<' * '<Command>' SchedCommand '</Command' * 'Arguments>' SchedArgs '</Arguments' * 'WorkingDirectory>' SchedDir '&' *
| where isnotempty (SubjectUserName) 
| project TimeGenerated,SubjectUserName,Computer,Activity,SubjectDomainName,TaskName,SchedCommand,SchedArgs,SchedDir
| project-rename CreatedBy = SubjectUserName

hunting queries

To rename columns, you can use project-rename <new name> = <old column name>

Happy Hunting!

Running Windows Sandbox in a VM

The feature Sandbox available in Windows 10 preview version is very intersting for us who uses a web browsing VM.

The Sandbox feature or disposable VM is a Windows 10 container running on your Windows laptop and gives you the opportunity to launch a temporarily VM if you want to test something or just use it to browse internet to avoid infecting your machine (see the “note” later in this post because bad things can still happen) .

When you close the application all files are removed and possible malware will die.


You might want to test the feature on a VM, which will basically be running VM on a VM (nested).

If you open features you will see that the feature is grayed out and you won’t be able to enable it that way however you can enable the service with DISM.

But when you launch Sandbox it will complain.

To solve this you have to make a change on the VM CPU where you want to run Sandbox.

The only thing you have to do is enabling “Expose Virtualization Extensions”

Set-VMProcessor -VMName Windows10Prev -ExposeVirtualizationExtensions $true
powershell set exposevirtualizationextensions to true

On the VM side

Enable the feature using GUI or PowerShell and restart.

dism /online /enable-feature Containers-DisposableClientVM

Launch Sandbox app

windows 10 disposable vm

This feature is perfect instead of using and manage a VM for this kind of work.

Launch Sandbox as any other applications

Note: You will still have access to resources on the network. Therefore malware can still execute and do bad things. But they will not survive a reboot of the Sandbox but they might have already replicate themselves to another system.
You can reach other systems via RDP.
If you have your host enrolled to WD ATP, and you isolate the host, the Sandbox will still be available

The AV Engine doesn’t seem to be running either

But regardless of the “Note” it’s still a very interresting feature and it will help a lot

When you exit the application you will be prompted that all data will be lost

sandbox exit

Vulnerability in Microsoft DHCP server


This is a high priority patch for your Windows DHCP server. This RCE is executed by sending a speciallly crafted packet to the DHCP server.
We haven’t seen any public available information like Proof of concept or exploit code but that’s just a matter of time.

CVSS Score


For further information please visit:

Security update guidance:

BlueHatIL 2019 its a wrap!

So, this year I had the opportunity to participate in Microsofts conference  BlueHatIL in Tel Aviv, it’s a two day event that is packed with 18 sessions and other activities, this year you could team up in building Zumo Boats in this amazing Maker Studio. Outside of that there was a CTF Challenge to get into a secret room and in there the CTF Continued.All sessions got their own poster that where available to get for delagates but they where also part of the amosphere in the venue where they here put on walls and places around the venue.


Day 1

The AMDFlaws Story: Technical Deep Dive

To Kick off day one  Ido Li On and Uri Farkas took us through their research on flaws, they had over 8 months and 7 engineers researched the platform and found 13 vulnerabilities. One of them was related to the PSP Controller. As the found out issues with how the firmware was signed they where able to patch the Firmware and get their code in there and more or less Game Over. For those of you who don’t know the PSP it’s the Platform Security Processor and it controls many things early on. So, with this they could actually bypass features like Credential Guard as they had ownership of the components. On stage they demoed a custom version of Mimikatz where they where able to extract Credentials from a machine running Credential Guard.


Supply Chain Security: “If I were a Nation State…”

To follow up on this intro Andrew “bunnie” Huang had a great session on Supply Chain Security. The session gave examples of different Supply Chain Attacks either by replacing components, implanting new components in the hardware and a very thorough example of different technicies to do this. Bunnie showed several x-ray pictures on how hard this could be to detect, and some are more or less impossible to spot with the your bare eye.

Here is a simple example of Memory Cards he had analyzed showing Memory Cards with different chips on them from the same vendor, some of them didn’t behave like expected 😉. Possible Supply Chain Attack from a Nation State?

So, with that said, what components do you have in your equipment? Vendor approved, or Nation State approved.

After a a busy lunch with great food and some more work on the CTF it was time to listen to Benjamin Delpy and Ulf Frisk among others.

You (dis)liked mimikatz? Wait for kekeo

The man the myth the MimiKatz had a session on his tool Kekeo where he showed many cool features to impersonate users and how to exploit Kerberos. Some of the explotation included impersonation of users using smartcards, Changing password of a user without knowing the old password etc. A very good session with lots of humor and good insights on his tool Kekeo and Kerberos.

You can find the tools here


Practical Uses for Hardware-assisted Memory Visualization

As far as I am aware I was the only Swedish delegate on BlueHatIL except for the speaker Ulf Frisk, I had a chance to sit down and talk to Ulf, its always nice to run into other Swedish people in the Security Community. Ulf has over the years built his tool PCILeech a open source tool to read and write System Memory on remote devices. This is something that is done over PCIe. During BlueHatIL he presented some new features where you remotely over the network could read and write to the System Memory on the remote machine. Some really scary and awesome stuff.

You can read some really amazing blog postes on DMA at Ulfs Blog

Keynote – Offenses in Cyber Offense

The day ended with a Moderated Keynote with Citizen Lab and Associated Press on some of the recent cases of cyber espionage on citizens and public persons. Also a very loaded session with accusations flying back and forth on Nation State attacks.If you want to read up more on some of the reports Citizen Lab has produced you can find them here.  Some of their research covers the “Pegasus” Spyware that an Israeli company is selling to Nation States and others.


Day 2

Keynote -Modern Day Hypnosis: Weaponizing Data to Influence the Public

After a brief Microsoft Intro, the Day two Keynote started with Christopher Wylie also know as the Cambridge Analytica Whistleblower in a moderated session on how Weaponizing of Data Can influence the Public.

A session where he explained how data is used to manipulate the public and how its used to target individuals and influence and build “bubbles”. Very interesting but became very political from time to time. A lesson i learnt here is that these bubbles are used way beyond Online but also flow down and are used to form offline influencing “bubbles”.

No Code No Crime: UPnP as an Off-the-Shelf Attacker’s Toolkit

x0rz showed some of his reasearch on UPnP, still in 2019 there are many devices out there that have UPnP available against the internet. An easy search on Shodan will give you thousands of devices that you remotely can control and trigger port openings on routers. And by doing this you could control the device to allow traffic in to the local LAN and you could even open up a session and establish your TCP IP Session and then close the port again so when someone checks for open ports they will not see any open ports but they could possibly have an TCP Session going through their router without their knowledge. Most of the devices where geographically in Asia but quite some devices in Europe still. Personally I think its very sad to see that this is still out there as vulnerabilities and risks around UPnP has been known for years, but still fascinating.

PE-sieve: An Open-Source Process Scanner for Hunting and Unpacking Malware

In the session on PE-sieve Hasherezade showed how her tool could help in Malware Analysis and gave some helping guidance on how to use the tool. Simply the tool unpacks Malware and analysis changes to the system and gives you a summary of the changes and the files its

So if you are into Malware Analysis you can find the great tool here

Maker Studio

And what an impressive makerstudio, 3D Printers, Laser Cutting Machines, Tooling, Printers, Sewing Machines, Molding Machines. Electronics, Engines etc, basically everything you needed to make an awesome custom zumo boat to win the battle. A great activity, I saw many people team up and do 3D Cad Drawings, Code Arduino and build some really cool boats to win the battle.

Image may contain: one or more people, people sitting and indoor

Image may contain: indoor

Image may contain: one or more people




So, to wrap it up, a great conference, great atmosphere the prep of everything was so cool and yeah finally the secret Casino Room was just so awesome! In other words, I hooked up with a guy Yitai and we completed the first part of the CTF that as to gather information from some QR Codes and then decrypted the code to get to a webpage where you could find the next steps in the CTF that I unfortunately didn’t have time to play more more on.

Big shout out to the Team that made it possible and by the way don’t miss BlueHat in Shanghai in May! My biggest take away for the week is humbleness, there is still so much to learn in different areas. When talking security you just need to expect unexpected things,  things you think are impossible are very often possible. I have worked over 20 years in IT and Security and to be successful I would say you need curiosity, a mind that is thinking out of the box, allot of time and stubbornness is also some good things to put in the mix. And at last enjoy and have fun of what you are doing.

You can find more info on the Event at or following and reading up on the twitter hashtag #bluehatil and why not watch the official aftermovie below.