Tag Archive: MDATP

If you add CurrentControlSetControlMiniNt key, the Windows will think it is WinPE and will not log any event to the Security Log 😱#hacked #windowsinternals #redteam
— Grzegorz Tworek (@0gtweet) October 11, 2019

If the following key is added:
HKLM\System\CurrentControlSet\Control\MiniNt

Event Viewer after the registry key was added and after a reboot

Since it’s registry we have a lot of data to query in the Defender ATP portal (https://securitycenter.windows.com)

The Hunting query will be as follows

// Mattias Borg
// @mattiasborg82
RegistryEvents 
| where (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
        (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1

This is the initial hunting query and might be changed to avoid False-Positives if there are any.

To be able to create a custom detection rule we need to add “MachineId” and “ReportId” to the output.

// Mattias Borg
// @mattiasborg82
RegistryEvents 
| where (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
        (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1, MachineId, ReportId

Click on “Create a detection rule”

Fill in the form and select your preferred actions

Happy Hunting!

Detect

MDATP, MiniNt, Registry, ThreatHunting

Gartner EPP Magic quadrant 2019 – Defender in the leading quadrant

Security Labs 2019-08-23 0 Comments

The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP).
Microsoft is named a leader!

With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.

Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.

Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.

The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP,
Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.

Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.

Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.

In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.
Gartner

The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.

Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.

The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.

Automated investigations

Build your playbooks

Take back the control with live response

We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate

Threat hunting

Full gartner report:
https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=190731&st=sb&fbclid=IwAR3G9Otpxuc52bi0hpFE4-iGv8uhvgnxtSl0boqAU7-R4aw5MyLsuyy0fLg

Congratulations Microsoft, we’re looking forward for all coming features

Happy Hunting!

Detect, Identify, Protect, Respond

Defender, epp, exploitprotection, gartner, MDATP, SOAR

Hunting Windows Defender Exploit Guard with ATP

Security Labs 2019-04-11 4 Comments

Alright, since I happen to be in a blog mode I keep the posts coming.

This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.

So what’s this Exploit Guard?

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.

Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements

Component	Details
Attack Surface Reduction (ASR)	A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection	Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder Access	Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit Protection	A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Example of ASR rules

• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code

Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.

If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.

This following dashboard is a part from the Monitor and Report section in the portal

Back to Defender ATP and the hunting which this post was supposed to be all about.

We have published some posts now about hunting custom alerts.

In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.

We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.

Examples from the output:

AsrOfficeMacroWin32ApiCallsAudited

AsrPsexecWmiChildProcessBlocked

ControlledFolderAccessViolationBlocked

ExploitGuardAcgAudited

ExploitGuardChildProcessAudited

ExploitGuardNetworkProtectionBlocked

ExploitGuardNonMicrosoftSignedAudited

ExploitGuardWin32SystemCallBlocked

SmartScreenAppWarning

SmartScreenUrlWarning

SmartScreenUserOverride

Interesting note “SmartScreenUserOverride” is a separate event which you can query

When we had the raw Actiontypes we created the query to cover as much as we could.

//Happy Hunting
MiscEvents 
| where ActionType contains "asr" or
        ActionType contains "Exploit" or
        ActionType contains "SmartScreen" or
        ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc 
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,  
         FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
         JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId

We are also parsing AdditionalFields to be able to add extra value to events which contained such data.

From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment

Happy Hunting!

Detect, Identify, Uncategorized

ASR, ATP, CFA, Defender, ExploitGuard, Kusto, MDATP, SmartScreen, WDATP, WDEG

Automate response with Defender ATP and Microsoft Flow

Security Labs 2019-04-08 9 Comments

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

Start by browsing to https://flow.microsoft.com and create a new flow
Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.

We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content

Actions

Pro tips:

Use get alert to be able to add more dynamic content to use in subsequent steps
Use get machine to be able to get more information like IP, Computername etc
Start building your automated playbooks. This will save you time

Events, Recover

Automation, Flow, MDATP, Response, SOAR, WDATP

It’s Cybersecurity Awareness Month and there is still a lot to do 2020-10-29
October is National Cyber Security Awareness Month (NCSAM). And there is still a lot to do! For the last 17 years, the National Cybersecurity Awareness Month (NCSAM) campaign, driven by the Department of Homeland Security, has raised awareness about the importance of cyber security across the Nation with the mission of ensuring that all Americans have the resources they need to be safer and more secure… […]
Unilever CISO on balancing business risks with cybersecurity 2020-10-29
Imagine showing up to work every day knowing that your job requires protecting 160,000 employees creating more than 450 products around the world—tea, ice cream, personal care, laundry and dish soaps—across a customer base of more than two and a half billion people every day. Unilever Chief Information Security Officer (CISO) Bobby Ford embraces the… […]
Back to the future: What the Jericho Forum taught us about modern security 2020-10-28
Learn about the roots of Zero Trust concept in the Jericho Forum and how they apply to today’s world of remote work more than ever. The post Back to the future: What the Jericho Forum taught us about modern security appeared first on Microsoft Security.
Cyberattacks against machine learning systems are more common than you think 2020-10-22
Machine learning (ML) is making incredible transformations in critical areas such as finance, healthcare, and defense, impacting nearly every aspect of our lives. Many businesses, eager to capitalize on advancements in ML, have not scrutinized the security of their ML systems. Today, along with MITRE, and contributions from 11 organizations including IBM, NVIDIA, Bosch, Microsoft… […]
Addressing cybersecurity risk in industrial IoT and OT 2020-10-21
As the industrial Internet of Things (IIoT) and operational technology (OT) continue to evolve and grow, so too, do the responsibilities of the Chief Information Security Officer (CISO). The CISO now needs to mitigate risks from cloud-connected machinery, warehouse systems, and smart devices scattered among hundreds of workstations. Managing those security risks includes the need… […]
CISO Spotlight: How diversity of data (and people) defeats today’s cyber threats 2020-10-20
This year, we have seen five significant security paradigm shifts in our industry. This includes the acknowledgment that the greater the diversity of our data sets, the better the AI and machine learning outcomes. This diversity gives us an advantage over our cyber adversaries and improves our threat intelligence. It allows us to respond swiftly… […]
Announcing the Zero Trust Deployment Center 2020-10-15
Organizations have been digitally transforming at warp speed in response to the way businesses operate and how people work. As a result, digital security teams have been under immense pressure to ensure their environments are resilient and secure. Many have turned to a Zero Trust security model to simplify the security challenges from this transformation and the shift to remote… […]
CISO Stressbusters: 7 tips for weathering the cybersecurity storms 2020-10-15
An essential requirement of being a Chief Information Security Officer (CISO) is stakeholder management. In many organizations, security is still seen as a support function; meaning, any share of the budget you receive may be viewed jealously by other departments. Bringing change to an organization that’s set in its ways can be a challenge (even… […]
Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions 2020-10-14
It’s hard to keep pace with all the changes happening in the world of cybersecurity. Security experts and leaders must continue learning (and unlearning) to stay ahead of the ever-evolving threat landscape. In fact, many of us are in this field because of our desire to continuously challenge ourselves and serve the greater good. So… […]
Becoming resilient by understanding cybersecurity risks: Part 1 2020-10-13
All risks have to be viewed through the lens of the business or organization. While information on cybersecurity risks is plentiful, you can’t prioritize or manage any risk until the impact (and likelihood) to your organization is understood and quantified. This rule of thumb on who should be accountable for risk helps illustrate this relationship:… […]