When working with Advanced Hunting in Defender ATP, you tend to always want to update your queries as you learn. You will probably also notice that sometimes your query wasn’t broad enough or all information was not available at the time. And sometimes you just want to make it look better for others to use in a shared environment.
We have updated the Squirrel hunting query to adjust to more parameters which can be used. we simple remove the check for a parameter and focus on the http part instead.
There are also some legit domains which are used by some of the applications, slack and discord to mention some of them.
ProcessCreationEvents
| where (ProcessCommandLine has "update.exe") or (ProcessCommandLine has "squirrel.exe")
| where (ProcessCommandLine contains "http")
| extend URL=extract(@"((http:|https:)+[^\s]+[\w])", 1, ProcessCommandLine)
| where URL !in ("https://slack.com/desktop/update/windows_x64", "https://discordapp.com/api/updates/stable")
| sort by EventTime desc
| project EventTime,
ComputerName,
URL,
FolderPath,
ProcessCommandLine,
AccountName,
InitiatingProcessCommandLine,
ReportId,
ProcessId,
InitiatingProcessId
A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.
In the post, Teams is mentioned as example but other affected application were mentioned on twitter.
So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!
To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.
Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.
To make it more easy to overview we’re adding the URL to a column
To continue this we can count unique URL’s to find anomalies
Alright, since I happen to be in a blog mode I keep the posts coming.
This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.
So what’s this Exploit Guard?
Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.
Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements
Component
Details
Attack Surface Reduction (ASR)
A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection
Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder Access
Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit Protection
A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications
Example of ASR rules
• Block Office apps from creating executable content • Block Office apps from launching child process • Block Office apps from injecting into process • Block Win32 imports from macro code in Office • Block obfuscated macro code
Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.
If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.
This following dashboard is a part from the Monitor and Report section in the portal
Back to Defender ATP and the hunting which this post was supposed to be all about.
We have published some posts now about hunting custom alerts.
In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.
We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.
Examples from the output:
AsrOfficeMacroWin32ApiCallsAudited
AsrPsexecWmiChildProcessBlocked
ControlledFolderAccessViolationBlocked
ExploitGuardAcgAudited
ExploitGuardChildProcessAudited
ExploitGuardNetworkProtectionBlocked
ExploitGuardNonMicrosoftSignedAudited
ExploitGuardWin32SystemCallBlocked
SmartScreenAppWarning
SmartScreenUrlWarning
SmartScreenUserOverride
Interesting note “SmartScreenUserOverride” is a separate event which you can query
When we had the raw Actiontypes we created the query to cover as much as we could.
//Happy Hunting
MiscEvents
| where ActionType contains "asr" or
ActionType contains "Exploit" or
ActionType contains "SmartScreen" or
ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,
FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId
We are also parsing AdditionalFields to be able to add extra value to events which contained such data.
From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment
