Tag Archive: XDR

Microsoft announces Security Exposure Management

Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to manage attack surfaces, protect critical assets, and explore and mitigate exposure risk.

From a personal perspective this is going to change a lot in the security business!

It is enabled in the Microsoft Defender XDR portal (https://security.microsoft.com)

Security Exposure Management is currently in public preview.

View attack surface map, this is bloodhound on steroids!

Microsoft is leading the next chapter of attack surface management so organizations can proactively improve their posture and reduce their exposure, faster than attackers are able to exploit them.

Microsoft Security Exposure Management is in Public preview and empowers organizations to:

  • Build an effective exposure management program with a continuous threat exposure management (CTEM) process.
  • Reduce risk with a clear view of every asset and real-time assessment of potential exposures both inside-out and outside-in.
  • Identify and classify critical assets, ensuring they are protected against a wide variety of threats.
  • Discover and visualize potential adversary intrusion paths, including lateral movement, to proactively identify and stop attacker activity.
  • Communicate exposure risk to business leaders and stakeholders with clear KPIs and actionable insights.
  • Enhance exposure analysis and remediation by integrating with third-party data sources and tools

The new foundational capabilities for a exposure management program is

  • Attack Surface Management: Provides a comprehensive view of the entire attack surface, allowing the exploration of assets and their relationships.
  • Attack Path Analysis: Assists security teams in visualizing and prioritizing attack paths and risks across environments, enabling focused remediation efforts to reduce exposure and breach likelihood.
  • Unified Exposure Insights: Provides decision-makers with a consolidated, clear view of an organization’s threat exposure, facilitating security teams in addressing critical questions about security posture.

Current seamless integrations are

  • Vulnerability Management (VRM)
    • Microsoft Defender Vulnerability Management (MDVM)
    • Qualys Vulnerability Management (Preview)
    • Rapid7 Vulnerability Management (Preview)
  • External Attack Surface Management (EASM)
    • Microsoft Defender External Attack Surface Management
  • Cloud Security (CSPM)
    • Microsoft Defender Cloud Security Posture Management (CSPM)
  • Endpoint Security (Device Security Posture)
    • Microsoft Defender for Endpoint (MDE) 
  • Identity Security (ISPM)
    • Microsoft Defender for Identity (MDI) 
    • Microsoft Entra ID (Free, P1, P2)
  • SaaS Security Posture (SSPM)
  • Email Security
    • Microsoft Defender for Office (MDO)
  • OT/IOT Security
    • Microsoft Defender for IOT
  • Asset & Configuration Management
    • ServiceNow CMDB (Preview)

Identifying and resolving attack paths

Who uses Security exposure management?

  • Security and compliance admins responsible for maintaining and improving organizational security posture.
  • Security operations (SecOps) and partner teams who need visibility into data and workloads across organizational silos to effectively detect, investigate, and mitigate security threats.
  • Security architects responsible for solving systematic issues in overall security posture.
  • Chief Security Information Officers (CISOs) and security decision makers who need insights into organizational attack surfaces and exposure in order to understand security risk within organizational risk frameworks.

As always, provide feedback

Happy Hunting!

Attack Simulation Training to be resilient against QR code phishing

QR code has been a hassle in the cyber world since a while back. There are multiple reasons for threat actors to use this method to phish uses and compromise accounts.

One reason is that it is difficult to detect (the MDO research team has done a great job in detecting these, huge kudos to you!) the other reason is that we force the user to move to another device. If they read the email on their monitored laptop, and then scan the QR with the phone it is more difficult to detect, and not all organizations have onboarded their phone to Defender.

Microsoft announced last month about partnership with Fortra’s Terranova Security and have launched two new QR code phishing training modules available in Attack Simulation Training. THis will provide a training email for the end-user which explains the QR code technique

How to launch a simulation with QR code

Go to Defender XDR portal and in the Email & Collaboration you select Attack simulation training

Select Launch a simulation and follow the wizard

Select the How-to Guide

Select payload Teching Guide: How to recognize and report QR phishing messages

Choose your targets

If required, exclude users

Configure your launch details

Monitor

Don’t forget to follow up your simulations with user awareness training to establish a cyber security culture

Happy Hunting!

ADCS Auditing for MDI

Copy Friendly

certutil –setreg CA\AuditFilter 127 

net stop certsvc && net start certsvc

Configure auditing on the configuration container

Open ADSI Editor

Right click on the configuration Node (CN=…) and select Properties > Security Tab > Advanced

MAKE SURE YOU SELECT THE AUDIT TAB!!

Click Add (VERY IMPORTANT THAT YOU ARE IN AUDIT TAB)

Select principal Everyone, Type: All And Applies to: This object and all descendant objects

Scroll to the bottom and click “Clear” and back up and check the Write all properties

Defender for Identity no longer requires logging 1644 events. If you have this registry setting enabled, you can remove it.

Happy Hunting!

New features in Advanced Hunting – Microsoft 365 Defender

During Ignite, Microsoft has announced a new set of features in the Advanced Hunting in Microsoft 365 Defender.

These features will definitely help you in the Threat Hunting process and also reduce the gap between analysts, responders and threat hunters and simplify the life of a threat hunter.

Multi-tab support

When having hunting training classes, I usually recommend to use multiple browser tabs. One for the query development, and one used to go back to previous queries to see how some things were done earlier.

for example, if you are developing a hunting query and need an if statement, external data, regex or other more advanced features it is easier to just open a previous query to see how it was solved last time. At least until you get more fluent in KQL. This is to avoid having to save your new query, go back to the old one, and then back to the new again

With the multi-tab support we can open the query in a new tab

Resource usage

The new Hunting Page will now provide the resource usage for the query both timing and an indicator of the resource usage

This will make it easy to see when query optimization is recommended and needed.
You could for example use equals, has instead of contains, remove columns not used to reduce the dataset etc. Of course, when it’s feasible.

If you would like to learn more about how to optimize queries, please visit:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?view=o365-worldwide

UX

Schema, Functions, Queries and Detection Rules have been separated into tabs for, according to my opinion, easier access and pivoting which will give a better overview in each tab.

Schema Reference

The schema reference will open as a side pane




When looking at one of the *events tables, the ActionType column is very useful to see which events are being logged.
Earlier, I usually selected distinct ActionType in the query to have a look at the events being logged. Now, it’s possible to use the quick access from the portal to expand all action types for a specific table.

Above image shows the action types for DeviceFileEvents. In the DeviceEvents there are around 180 different action types to query.

For the hunting query development and hunting use-cases, the action types is a great go-to resource.

The columns in the schema reference is clickable and can in a simple way be added to the query

Simple query management

Inspect record

The inspect record pane is an easy way to see the data for one single row. When developing new queries I usually take a subset of data (take/limit 20) to see an overview of the results, and also select an event to see all data instead of side scrolling through all columns when needed.

New features in inspect record is that we can do quick filters which will be added to the query.

In this example we would like to know more about process executions from the C:\AttackTools folder

If we would like other pre-defined FolderPath filters, we can select View more filters for FolderPath
We can continue the query development and as in below example, get the count for each file in the folder specified in the query.

Last but definitely not leastLink the query results to an incident

This is my favorite, this will reduce the gap and simplify the process between threat hunters, responders, and analysts.

By selecting the relevant events in the result, they can be added to an existing incident, or create a new incidents.

This feature will help organizations to define the threat hunting both in a proactive hunting scenario, and in a reactive, post breach scenario when the hunters will assist analysts and responder with a simplified process.

How to link the data to an incident

To be able to link the data you need to have the following columns in the output

  • Timestamp
  • DeviceId/AccountObjectID/AccountSid/RecipientEmailAddress (Depending on query table)
  • ReportId

Develop and run the query

Please note, you cannot have multiple queries in the query window when linking to incident

Choose to create a new incident or link to an existing

Add the necessary details and click next
Select the impacted entities
After finishing the wizard, the data will end up in a new alert in the incident

Last tip

Run a quick check in your environment to see if you have remote internet-based logon attempts on your devices by looking for RemoteIPType == “Public”. There are other where RemoteIPType is useful, like processes communicating with Internet.

Happy Hunting!