Tag Archive: MDE

Microsoft Defender XDR Deceptions Feature

Last year Microsoft announced a deception capability in Microsoft Defender for Endpoint. The idea with the deception is that adversaries access a Decoys or Lure which will trigger an incident for the response team to act on.

In Settings > Endpoints > Advanced features

Enable Deception

To create Deception rules

In Settings > Endpoints > Deception rules

It is possible to scope this specific deception rule to Devices with a specific tag

The system will automatically generate Alias or Hostnames which can be edited to better fit your organization

Lures can be autogenerated or use custom lures (file size up to 10MB)

A Lure can be of any filetype except PE files (exe and dll)
It is recommended that the lure contains information of decoys.

Happy Hunting!

Force release from isolation in MDE

It rarely happens, but if it happens, you have a solution…

One of the best response actions in Microsoft Defender for Endpoint (A part of Microsoft 365 Defender) is isolate device. This locks the device in the network stack and will connect any threat actor immediately from the device, or stop the user from doing what they are doing.

This action do have some extra great features. For instance, it will allow connection to the Defender backend which allow SecOps to continue to monitor, run live response (another action which gives SecOps shell access to the endpoint) to further analyze any suspicious behavior.

So what’s force release from isolation?

force release from Isolation is a batch script which will add some registry values to the endpoint to force it to release from isolation. This could be used if something happens on the network side where the endpoint is connected or if there is any other error that could break the release from isolation function from the portal.

Even though it’s very rarely necessary, it’s great to have such feature if something happens.

Downloading script

  • Go to device page and click on the more actions menu
  • Select force release from isolation
  • Run the script with administrative privileges

Script information

  • The script can only be downloaded from the Defender portal ( https://security.microsoft.com )
  • The script is only working for 3 days after download
  • The script is only working for the specific endpoint you download it for
  • Must be executed with local admin privileges

Minimum Requirements

  • Supports only Windows
  • The following Windows versions are supported:
    • Windows 10 21H2 and 22H2 with KB KB5023773
    • Windows 11 version 21H2, all editions with KB5023774
    • Windows 11 version 22H2, all editions with KB5023778

for further information, please visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#forcibly-release-device-from-isolation

Happy Hunting!

Near Real Time Rules in Defender

If you want to find threats earlier it is now possible to use NRT rules in Defender.

Before this, we had the options to use 24h, 12h, 3h, and 1h as the schedule. This gives Defenders the possibility to detect and respond to threat much earlier.


Tables that support Continuous (NRT) frequency

  • AlertEvidence
  • DeviceEvents
  • DeviceFileCertificateInfo
  • DeviceFileEvents
  • DeviceImageLoadEvents
  • DeviceLogonEvents
  • DeviceNetworkEvents
  • DeviceNetworkInfo
  • DeviceInfo
  • DeviceProcessEvents
  • DeviceRegistryEvents
  • EmailAttachmentInfo
  • EmailEvents
  • EmailPostDeliveryEvents
  • EmailUrlInfo
  • UrlClickEvents

The NRT rules does not support externaldata operator and you can only query one table

Configuring NRT (Continuous) Rule

From the Advanced Hunting, develop your query and click and configure the Alert Details

Click Next and select impacted entities (in this case we are using an email table and therefore the impacted entities will be mailbox)
Click Next and configure the actions.
It’s important to think about what the actions means and make sure your query will detect exactly what you want.

Be cautious with the Isolate device when querying Device tables. If you have an error in your detection you may isolate all machines by mistake

It’s now completed!

Don’t forget that you can use the hunting if you want to take response actions on multiple entities very quickly.

From the Result of your hunting query, select the rows where you want to take action and click Take Actions

This brings your the Actions pane and you can choose which actions you need.

Depending on your query (which tables and output) you get different options for your actions. ‘

Stay safe, and Happy Hunting!

Live response is GA for Linux and macOS

Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.

Capabilities

  • Run basic and advanced commands to do investigative work on a device.
  • Download files such as malware samples and outcomes of PowerShell scripts.
  • Download files in the background (new!).
  • Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
  • Take or undo remediation actions.

Requirements

  • macOS – Minimum required version: 101.43.84. Supported for Intel-based and ARM-based macOS devices.
  • Linux – Minimum required version: 101.45.13

Happy Hunting

Tamper Protection for Exclusions in Defender

One thing that threat actors commonly do when getting a foothold on a device, is to try to disable Defender services and adding exclusions for their tools which they plan to execute.

For the Defender services, we have had Tamper Protection for some time, but that did not cover exclusions.

Tamper Protection configuration via Intune

Requirements

For Tamper Protection to cover exclusions, the following requirements must be met:

Disable Local Admin Merge

Verifying and troubleshooting

The registry value TPExclusions which is in the HKLM\SOFTWARE\Microsoft\Windows Defender\Features key shows a value of 1 if protected and 0 if not protected. Please note that you cannot change the registry value to protect the exclusions, it’s for information and not configuration

While we talk about Antivirus policies…

We would like to share this as well since it’s something we see when we do Defender assessments, it’s unfortunately very common that these settings are wrong

Cloud block level (high is recommended minimum) and Cloud Extended Timeout check must be set to 50 (seconds)
Sample submission is required for Cloud protection

And for

Happy Hunting!

Containing unmanaged Devices in Defender

For a long time we have been able to isolate onboarded devices in Microsoft Defender for Endpoint. But if a device is not onboarded we could not take any response actions to an eventual threat.

Microsoft has released a feature called Contain device which basically makes the opposite, instead of isolating the compromised device, we can tell all managed devices that they cannot communicate with the specific unmanaged device.

If a contained device changes IP address, the blocking will be updated and changed to the new IP address and the old will be “released” from block.

Defender troubleshooting mode

Troubleshooting mode will make it possible for local admins on the endpoint to override Antivirus policy on the device, including tamper protection. When enabled it give the admin a 3 hour window to do what was intended. After the 3 hour window, the settings will be re-applied again.

Enabling Troubleshooting mode

Go to the Device page in Microsoft 365 Defender and click on the 3 dots menu item and select troubleshooting mode

In the Device action center we can see the following entry

Prerequisites

  • Windows 10 (version 19044.1618 and above)
    Windows 11
    Windows Server 2019
    Windows Server 2022
  • Microsoft Defender for Endpoint must be tenant-enrolled and active on the device. 
  • The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 and above. 

Hunting for events

//Use the following ActionType and the DeviceEvents table
DeviceEvents
| where ActionType == "AntivirusTroubleshootModeEvent"  

Happy Hunting!

Switching tenant in Microsoft 365 Defender

[Updated post]

What’s described in this post is no longer applicable due to TID parameter are added to links in the portal

We developed an extension that does exactly the same thing but this is not needed anymore hence why we won’t release it. Microsoft has updated links in the portal to include the TID-parameter which is awesome and for people working with many customers this is really great news and you don’t need multiple profiles either!

[Old post]

If you work with multiple customers with Microsoft 365 Defender or working in a multi-tenant setup, you have probably noticed that your end up in the first tenant even if changing the tid-parameter in the url.

The reason why this happens is that when for instance, clicking on links in Defender, it will take you to the tenant stored in a cookie, especially if you don’t have the tenant id parameter in the link.

It can be addressed by working with multiple profiles, but if you don’t want that you can just do the following

Open dev tools and go to Application and expand Cookies
Select the security.microsoft.com and right-click on sccauth and select delete

Refresh the page

Happy Hunting!

New features in Advanced Hunting – Microsoft 365 Defender

During Ignite, Microsoft has announced a new set of features in the Advanced Hunting in Microsoft 365 Defender.

These features will definitely help you in the Threat Hunting process and also reduce the gap between analysts, responders and threat hunters and simplify the life of a threat hunter.

Multi-tab support

When having hunting training classes, I usually recommend to use multiple browser tabs. One for the query development, and one used to go back to previous queries to see how some things were done earlier.

for example, if you are developing a hunting query and need an if statement, external data, regex or other more advanced features it is easier to just open a previous query to see how it was solved last time. At least until you get more fluent in KQL. This is to avoid having to save your new query, go back to the old one, and then back to the new again

With the multi-tab support we can open the query in a new tab

Resource usage

The new Hunting Page will now provide the resource usage for the query both timing and an indicator of the resource usage

This will make it easy to see when query optimization is recommended and needed.
You could for example use equals, has instead of contains, remove columns not used to reduce the dataset etc. Of course, when it’s feasible.

If you would like to learn more about how to optimize queries, please visit:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?view=o365-worldwide

UX

Schema, Functions, Queries and Detection Rules have been separated into tabs for, according to my opinion, easier access and pivoting which will give a better overview in each tab.

Schema Reference

The schema reference will open as a side pane




When looking at one of the *events tables, the ActionType column is very useful to see which events are being logged.
Earlier, I usually selected distinct ActionType in the query to have a look at the events being logged. Now, it’s possible to use the quick access from the portal to expand all action types for a specific table.

Above image shows the action types for DeviceFileEvents. In the DeviceEvents there are around 180 different action types to query.

For the hunting query development and hunting use-cases, the action types is a great go-to resource.

The columns in the schema reference is clickable and can in a simple way be added to the query

Simple query management

Inspect record

The inspect record pane is an easy way to see the data for one single row. When developing new queries I usually take a subset of data (take/limit 20) to see an overview of the results, and also select an event to see all data instead of side scrolling through all columns when needed.

New features in inspect record is that we can do quick filters which will be added to the query.

In this example we would like to know more about process executions from the C:\AttackTools folder

If we would like other pre-defined FolderPath filters, we can select View more filters for FolderPath
We can continue the query development and as in below example, get the count for each file in the folder specified in the query.

Last but definitely not leastLink the query results to an incident

This is my favorite, this will reduce the gap and simplify the process between threat hunters, responders, and analysts.

By selecting the relevant events in the result, they can be added to an existing incident, or create a new incidents.

This feature will help organizations to define the threat hunting both in a proactive hunting scenario, and in a reactive, post breach scenario when the hunters will assist analysts and responder with a simplified process.

How to link the data to an incident

To be able to link the data you need to have the following columns in the output

  • Timestamp
  • DeviceId/AccountObjectID/AccountSid/RecipientEmailAddress (Depending on query table)
  • ReportId

Develop and run the query

Please note, you cannot have multiple queries in the query window when linking to incident

Choose to create a new incident or link to an existing

Add the necessary details and click next
Select the impacted entities
After finishing the wizard, the data will end up in a new alert in the incident

Last tip

Run a quick check in your environment to see if you have remote internet-based logon attempts on your devices by looking for RemoteIPType == “Public”. There are other where RemoteIPType is useful, like processes communicating with Internet.

Happy Hunting!

Download quarantined files is GA

As announced by Microsoft last week, the Download quarantined files is generally available.

This will simplify for SecOps to download quarantined files for further analysis.

So, why do SecOps want to download files?

One reason could be that they want to do forensic analysis on the file to see if taken response actions was enough or extract indicator which they can hunt for.

The feature is enabled in advanced features and is enabled by default

MDATP Settings – Microsoft 365 security

Cloud protection integration

The file download is dependent on the sample submission settings. Make sure it’s turned on!

Requirements 

The file download is available from multiple pages in defender

It’s also visible on the file page, and the reason why we want to have the option to download in multiple pages is to avoid having to switch view and to be able to take the actions where we are in the portal

Update

The possibility to set password for the file download makes it more safe and also avoid file to be detected during download