Alright, since I happen to be in a blog mode I keep the posts coming.
This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.
So what’s this Exploit Guard?
Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.
Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements
Attack Surface Reduction (ASR)
A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder Access
Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications
Example of ASR rules
• Block Office apps from creating executable content • Block Office apps from launching child process • Block Office apps from injecting into process • Block Win32 imports from macro code in Office • Block obfuscated macro code
Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.
If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.
This following dashboard is a part from the Monitor and Report section in the portal
Back to Defender ATP and the hunting which this post was supposed to be all about.
We have published some posts now about hunting custom alerts.
In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.
We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.
Examples from the output:
Interesting note “SmartScreenUserOverride” is a separate event which you can query
When we had the raw Actiontypes we created the query to cover as much as we could.
| where ActionType contains "asr" or
ActionType contains "Exploit" or
ActionType contains "SmartScreen" or
ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,
FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
We are also parsing AdditionalFields to be able to add extra value to events which contained such data.
From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment
Today Microsoft announced that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 8.1 Enterprise
Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and of ATP and it’s not possible to upgrade the machines.
The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.
Email Forwarding is a challenge when it comes to modern attacks, and it was recently used as one of the tools in a crimecase in Sweden. Basically the attackers forwarded all emails from the victims to themselves to be able to track the victims very easily and to gain insights and data for social engineering attacks. Multifactor auth via e-mail or password reset links where obtained and could easly be used to manipulate and gain access.
Email forwarding can be created in Outlook or the the web application (OWA) by the users or an attacker with access to a user account.
The solution for this is very easy.
You can block email forwarding and redirects in general and allow it where it’s necessary (if you do have that scenario).
Block autoforward domain wide for Office 365 using PowerShell: Set-RemoteDomain Default -AutoForwardEnabled $false
It is possible to configure this on a per domain basis.
For instance, if you need to allow forward to specific domain.
To view all forwarding rules today both on-prem and cloud you can use the following script.
The only difference is the connection part.