A-hunting We Will Go! Adventures in Endpoint Threat Detection

all right thank you rami um that was a great talk definitely learned a lot about from those from all those breaches so it's good to learn from other people's mistakes better than your own mistakes uh so thank you very much i will bring on the next speaker uh shortly um oh actually uh it's 10 44 so let's uh let's get ready to bring on our next speaker uh david um before that i would like to say special thank you to palo alto networks uh first for our the gold sponsorship um be sure to visit their their uh discord breakout room and uh enter their raffle for a chance to win uh some some cool prizes

uh but let's introduce uh david branscombe he's gonna be speaking on a hunting we will go adventures in and point threat detection so thank you david and let's get started all right i'm assuming you can hear me okay yes i can hear you all right all right

all right so my name's dave branscombe i'm a cloud security architect with microsoft and so as you can imagine a lot of the information that i'm talking about today is going to be slanted toward a microsoft environment and how uh endpoint threat detection can be done in a microsoft environment so let's talk about the the the problem that we're trying to address uh with this let me get rid of this little message here so a lot of the uh the network defense goes wrong uh before there's any contact with an adversary and that starts with how defenders think about the battlefield so most defenders if you think about it look at the idea of protecting

their assets and so that means prioritizing them maybe sorting them by workload maybe by business function so they think of lists lists of things that they need to protect attackers on the other hand breach a network by landing somewhere in the network graph and use uh and and that can be done through a number of different techniques but it could be something as simple as just a phishing email and so wherever they land in that graph then they just have to figure out where do they go from there to get to the assets that they need once they have that entry point how do they pivot how do they move laterally because they aren't following the

defenders list they aren't looking at it from the perspective of okay first i have to go through the firewall then i have to evade the detections in the ids or the ips or whatever um they're just looking at wherever i get in how do i get to what i want at that point and so as long as there's this divergence in thinking that this difference in the way that defenders and attackers think attackers are going to win because we're we're approaching the battlefield from the wrong perspective as defenders so as defenders for years we build our defenses in this way based on the assumption that attackers will launch attacks in the order that we have prioritized our defenses

in reality that isn't how it works at all attackers don't care where their entry to the network is they only care that they're able to get in and so they can move wherever they need to go once they're inside the network so what we're going to do is kind of walk through an example of an attack that is a fairly common way that an attacker would breach a network and how they would move laterally across the network and we'll see how some of the tools that that we built into microsoft defender and some of the other tools office 365 atp azure atp how these are able to detect an attack and how you can use that to

comprehensively understand the way that an attacker breached the network from just a malicious email all the way to the point where they're exfiltrating the ntds dit right all right so let's go hunting so what i'm going to do here is start off we've got four different um views up here four different uh portals that we're going to look at first so the first is the office 365 security and compliance center and in this case what we're looking at is we've got an email message that uh is detected to to contain uh some malware so this was a malware that was uh detected and removed after delivery so this is not uncommon uh sometimes uh messages will get through

um that contain a a piece of malware that is not caught by the initial message hygiene servers these kind of things happen on a fairly regular basis if we look at the defender security center so here we're looking at the actual endpoints we see that there has been a possible credential theft from the ntds did so the ntds did file as most of you are probably very well aware is the nt or the windows nt directory services file this is the heart of active directory it's where um all of uh active directory is stored including password hashes so if an attacker gets a hold of the ntds dit then they're able to extract information about the users and then in

the domain and even steal the credentials for those users and that allows them to elevate their privileges and reach the assets that they're interested in if i go to cloud app security which is our cloud access security broker we see that there was a suspected overpass the hash attack taking place right so an overpass the hash attack is a lateral movement technique where an attacker steals an ntlm hash and creates a forged kerberos ticket from it to gain permissions uh of a more privileged user so in this case we can see that um the attacker was able to leverage the credentials and uh authenticate um uh successfully to a net pc and then finally we're in the microsoft

365 security center and so uh here we can see all the different alerts that are coming into uh the security center so if you're on the secops team you can see that there are uh the same three alerts that we just looked at in these other portals so we can see things like suspected credential theft activity we see suspicious behavior by microsoft word an email message containing malware so we see many of the same alerts that we saw in these other portals synthesized into a single portal right so the the key thing that we're looking at here is that alerts are surfaced in individual portals but they're also combined into a single view that a sock analyst would be able to

pull these different alerts from different locations together and be able to start to make sense of them we scroll down a little bit um here we have the uh possible credential theft from the ntds did right so so all the the the same alerts that we saw over here are brought together into the m365 security center you scroll over and so um the important thing to note here is that we have the sources of these alerts highlighted as well and so wherever these alerts are coming from where they're originating if they come from cloud app security if they come from defender if they come from windows active directory or azure active directory rather they'll be

identified here so that you can see what source generated the alerts all right so let's go here close this there's that close that and we'll just work in this alerts view all right so we're in the alert for this particular incident okay so if we go to the summary of the incident here we get a summary overview of the entire incident uh all up so if you're on the secops team you can start to make some informed triage decisions here and it also helps us to track the progress on remediating the threat and restoring whatever assets have been impacted restoring them to a healthy and secure state so the first thing that we see here is

that we are tracking uh which tactics were used from a miter perspective this is really important because um throughout the the the use of this tool you see indications and and uh uh messages that show which miter attack tactics have been used in this particular incident um so we see the alert chain here if we scroll down a little bit um also we see the impacted devices the impacted users you see that there was an impacted mailbox so as part of this overall incident these are the impacted entities that we care about these are the ones that we have to investigate scroll down a little bit we also have the ability to group things according

to tags so we can tag resources in our environment and say these are things that have sensitive data these are things that um are are part of the same incident right so we can tag uh resources and say they're part of incident number 65043 or whatever and then remove those tags after the fact so that we can kind of group them according to that tagging capability but what i want you to notice over here is the timeline so the timeline shows us how things were carried out in progression so we're taking a look at the individual alerts and correlating them together according to how the attacker moved maybe from a malicious email file a file in an

email and then how they moved to running a suspicious powershell command they started enumerating smb sessions and so on so you get a sense for how the attacker has performed uh the attack let's open the alerts here so we're back here in the alerts tab right we're in the summary tab now we're back in the alerts tab so we see that um there was uh malware identified um and and this was delivered uh through exchange into the user's outlook mailbox and this was based on a file hash or a comparison of the file hashes that was done by microsoft defender for office 365. so we see here that this malicious file was detected based on an indication

provided by office 365. and so let's open that up if we dig into this individual alert we have a lot of information about the alert itself as the alerts are triggered there are security playbooks behind the scenes in office 365 that actually go into effect so these security playbooks are you might think of them as backend policies that are at the heart of the automation in microsoft defender um and and in in overall the microsoft 365 security center so a security playbook is launched automatically when specific types of alerts are triggered within an organization once that alert is triggered the playbook is run by what is called the automated investigation and response system air system

the investigation steps look at all the associated metadata of the alert including things like the message that was delivered the user that received the message any devices that the user was on at the time and then based on the investigation playbook's findings the automated investigation recommends a set of actions that your organization's security team can take to control and mitigate that threat so let's go over here to the investigations tab now here we can see the investigations that are associated with this overall incident so there are individual investigations taking place triggered by the alerts right so this allows our secops team to quickly review the investigations uh what alerts triggered them what their status is

where the alert came from as you can see here the service source as well as the entities that were involved right which machines were involved in this particular incident so if we go again to the malicious file was detected based on the indication provided by office 365 we get an investigation graph right so this investigation graph gives us a sense of the things that were investigated as part of this specific investigation we looked at barbara's pc we looked at files services and so on on that machine we found that there was one file that was remediated we go to devices we get some information coming from uh the defender for endpoint center and so if we

click on barbara's machine we get some information over here we can uh we can tell what uh domain her machine is a member of what os she is running within defender we have the ability to fully automate remediation so uh there's different levels of automated remediation that can take place so if you have for example a medical device that is running uh you know windows on the background you might say i don't want that to be automatically remediated because then it's going to fall outside of the standards that we have that these medical devices shouldn't be tampered with unless there's a strict change control log so you can you can define how these assets should be remediated in this case this

one is fully automated with the remediation

and if we scroll down here this is a key point here we see that users that have logged on to this particular machine barbara's pc uh the ones that have logged on are barbara and eric doubles now this is going to become important because as the attacker logs onto the machine he he wants to try to elevate his privileges and so um eric doubles is going to be one of the entities that's going to be exploited in this particular incident let's go back up here to the overall incident and click on the alerts tab again and we'll go to this email messages all right so we looked at this once already actually let's go to investigation

all right one of the investigation shows here mail with malware is zapped okay so zapped zap just stands for zero hour auto purge zero hour auto purge zap so what this is doing is if a message comes into your email system and contains a piece of malware but it's not detected by the system initially but then later on we do identify it as malware we can go back in and perform the zero hour auto purge that will go through all the mailboxes in your environment and remove instances of that malware in those mailboxes this will also be done against all office 365 tenants so if uh if this piece of malware is identified in your particular tenant we'll zap it from

your tenant but we'll also then use the information that we receive to zap it from any other tenants that exist around the world okay so notice here that we've got some ids and statuses and things like this what we're going to do is click on this this id number and we'll go to alerts and click on the zapped malware alert all right now in in the details section here um i want you to notice uh where we've identified this email as having come into we see that it came into barbara's mailbox so she's the one that initially received the email that's uh that's our starting point now let's go to the email so we start to look at the alerts

that are contained related to email and so we see things related to different attachments so we're looking at the file hash in the attachments for the email we're looking at uh clusters of email that are sent from juno.com so that's where the attacker sent the email from we're looking at subject lines we're looking at source ip addresses um and then another subject line uh there must be something slightly different about that one but but we're trying to narrow down where else uh this type of email might have been sourced now let's look at the the email received by barbara so the alert got into this incident because it triggered the same user main box of barbara mtpdemos.net

okay we see that the sender was this this user at juno.com and so like i said we've got uh these different clusters of email that help us to narrow down where uh this email was sourced from and can help us to track any other attacks that were very similar may be coming from the same juno address or coming from the same ip address or they contain the same file hash and so we can see um instances of how the message was handled whether it was detected as phishing whether it was sent to a junk mail box whether it was blocked whatever it might have whatever it might have been

okay so we now know that based on this incident the malware didn't stop simply at barbara's mailbox let me go back to the alerts scroll down a little bit we can also see from the alerts that the attacker began to enumerate information about users that had recently had a session open to a domain controller right so we see enumeration of smb sessions on a domain controller we see user and ip address reconnaissance done over smb so let's look at that and if i start to look into the details of this individual alert if we look at the alert details we see the service is azure atp um we see when this happened and then in

the alert description uh we see that the the user account barbara opened up some smb sessions to the domain controller and receive some ip addresses for two accounts so let's get some more detail about this now we switched over to cloud app security okay so so we're moving into a different portal now notice here the attackers inside the network they got initial access to barbara's pc and from there they began to enumerate these smp sessions uh to the domain controller they received uh information about some ip addresses and two accounts so let's see what the information was they received uh they got information uh for um about barbara or about some ip addresses that were exposed

uh same thing for this other machine so barbara seems to be uh one of the people that that's being targeted here so we want to find out more about barbara and and what um what risk this poses to the organization so let's close this and let's go to the users tab so remember before we we highlighted uh the entities that were identified as being at risk in this incident so rotambu is one of the people that was identified eric gubbel's is another one and barbara is one so let's take a look at barbara and if i open the user page for barbara it takes me again to cloud app security it gives me some information about

barbara so who she is where she was last logged on how many times she was logged on what devices she interacts with how to contact her and things like that we scroll down we see her contact information and we can get in contact with her and find out information so for example one of the things that shows up here is we're seeing activity from an infrequent country so we could make contact with barbara and ask her you know did you log in from this other country recently were you on vacation were you traveling for work whatever it might be um to to get some more context for the things that we see happening here speaking a little bit deeper we checked

the investigation priority of uh barbara and uh we're asking the question of where does she stand in terms of security or risk for the organization uh so we see that over the last two weeks she's in the top 90 percent risk category for the entire organization so uh there's clearly something happening with barbara's account that we need to investigate and this uh this investigation priority is built on the alerts that are associated with her and the risky activities that are associated with her so we see a whole lot of um activities and alerts uh taking place here some things like suspicious inbox forwarding a mass deletion of files remote code execution attempts all these things

give us indicators that something unusual is happening with barbara's account

so the advanced hunting tool is what uh we can use now to start to hunt over the different security telemetry settings that are coming from all these different sources so if we go here to go hunt this is going to take us to a different portal and this is where we can do one of two different things right so we can either initiate an investigation that starts uh with a hypothesis you know that we think something is happening in the organization or we can start from an ongoing investigation this tool is using what we call cousteau query language kql this is a tool that is also used in or a language that's also used in log analytics azure sentinel or

cloud-based sim as well as in microsoft defender for endpoint so with this we can perform queries against our environment and uh it can very quickly query thousands of endpoints and bring back information that's important to us so notice that we're going to be looking for the account name barbara uh we're going to be looking you know for different account sids and and so on so we don't need all this detail uh to run the query so we're going to remove uh some of it highlight a little bit of it and now we're just looking for some basic information here so let's run the query and notice we get back some information here from the query

uh from active directory um and and we start to see some interesting information about uh the the actions that were taken so you remember that there were queries done uh uh and an enumeration of groups so when this um uh when there was a query done uh perhaps the attacker was trying to figure out who are the local admins uh that have access to these uh servers who are the people that are part of domain admins um so so we start to see that that type of query taking place here and so we understand what the attacker was doing with the privileges um that they had had received so so they found out that uh they they were able to log in as

barbara but they were also able to find out who else was a member of this local admins on this machine this person maybe had higher privileges and so they used those privileges to begin enumerating the groups on the machine and then from there they're able to start doing queries uh about some higher privileged groups

all right lateral movement so we head back here to the incident and to the alerts tab and we want to see how the attacker is going to try to gain the credentials of more privileged users and start to move laterally so currently they have privileges for barbara but what what else do they want to do so we see down here that there was this reconnaissance that took place the user in ip address reconnaissance and so if we scroll down a little bit um you see here that there's some credential theft um actions taking place suspected credential theft activity malicious credential theft we see the use of mimikats right you see this suspicious lsas process accesso so clearly the attacker is

trying to perform uh some sort of attack against the user credentials and escalate their privileges going back to the users let's go take a look at eric now now what this tells us just a quick glance is that eric is a member of the help desk team he's a member of information technology what that means or what we can infer from this is that since he is a member of the help desk team then the likelihood is that he has local admin permissions on barbara's pc we know that barbara's pc was the one that was compromised and eric likely has local admin permissions to that pc it also may explain some other credential escalations for a user named

roberto so if we go to the next page of the alerts we see a suspected overpass the hash attack and we see that this took place on roberto's machine okay so let's take a look a little bit closer at this if we scroll down all right let's take a look at the alert description here so here we see roberto tamborello is the infrastructure services manager on this pc and he was successfully authenticated against this domain controller okay so again a privileged user and we're performing an authentication against the dc so this is starting to look more concerning scrolling down we see the impacted assets we see his pc is impacted if we click on the top

impacted entities there again we see uh his machine and we see his user account okay so um we see that that it wasn't just uh the machine that was compromised but also potentially um his user account has been compromised

go back and scroll down a little bit so going back to some of the alerts that we're looking at remember we talked about this suspicious lsas process and then um we've also got this successful log on using potentially stolen credentials so this tells us that there was some suspicious activity performed and as a result of that activity this credential theft the user the attacker was able to log on using stolen credentials let's scroll over so where one two three lines up one two three and so um we see that the detection source in this case was defender atp we see that it was a lateral movement activity they were able to connect to an aad connect server

and and this was the detection source was microsoft threat protection so this gives us the ability to automatically detect any new anomalies by correlating these alerts and the events that are coming from these microsoft sources all right let's open up this suspect suspicious lsas process so why was this alert triggered so um we we saw the overpass the hash attack right um and then it was enriched by um uh more data and activities that were observed on the same device so we see that there was this overpass the hash attack uh they obtained a password hash from memory and then use the hash to obtain a ticket scroll down a little bit and with the domain admin credentials um

the uh the attacker was able to move laterally within the domain right so so this this kind of tells us that because of uh this this compromise of roberto's machine and roberto's user account they were able to escalate their privileges to domain admin now what did they do with this here we see that they performed this credential theft from the

ntbsdit and so what we see taking place here is that they dumped the ntds dit in order to obtain the credentials that they need uh which are stored on the domain controller so we've got our alert details here we've got the the alert that was triggered by the actions that were taking place and we see the impacted assets so the impacted asset in this case is the domain controller all right let's take a look at one more thing so they've compromised the ntds dip they've been able to to uh capture it and uh start stealing credentials from it and then what else did they do well we see that there was suspicious inbox forwarding so let's take a look at

what they did there um it's not uncommon for attackers to uh set up inbox forwarding rules once they've compromised a a set of users in order to exfiltrate data and so likely the attacker is using this to exfiltrate some sensitive data so at the top the top right of this alert uh we see that it's part of the same incident that we've been investigating all along so it's all part of the the same incident tells us what the severity is of this uh this overall incident and notice um from this uh this individual alert we see the description of what took place we see that the user is an administrator um we see that this is the ip address

that the uh the forwarding was configured from and then we see um the miter tactic that uh is being uh leveraged in this case uh to perform the attack

so the the the attacker is now exfiltrating data from the organization after having escalated their privileges and and uh again compromising the ntds did let's now go to the action center so in the action center we see a list of pending actions that a security administration can act on and respond to different security alerts so this is again an aggregated view of a whole bunch of different sources across microsoft 365 and azure to enable proactive solutions to different threats that exist let's go to the history tab now if i want to filter the events i can go and filter last six months i want to get a few more items on each page if i click on filters

and scroll up what i want to look for are quarantine files so this quarantine file action shows us the details of the file which ones were automatically remediated and there's also a detailed report that shows what kind of malware the file contains so let's take a look and we want to look at the domain controller asset and apply so if we go a little bit into our history list there was user activity where a process was stopped and so we want to take a look at that that that incident so we're gonna take a look at the first result here at the top of this alert um you can open the automatic investigation page that gives us more information about

this particular alert we're able to either approve or reject these uh suggested actions that are are provided here and then down here we get information about the file itself so we see there is a file a powershell script that was run called invoke tokenmanipulation.ps1 a little more information here we go to the alert details uh we got some more information and notice again um uh you know we have timing for the event uh we have information about the detection source we have information about the the incident and then what the recommended actions are to remediate this incident in this case there was an automated investigation that was performed and the the issue was remediated but if

it was unable to be remediated automatically we could take action manually to resolve the issue

let's clear the filters and now what we're going to do is um filter by uh the stop process filter there we go apply so here we have some processes that were stopped and we have information about the the process name the process id in this case it was always named notepad.exe it's not uncommon for attackers to rename uh processes to something that looks innocuous let's take a look at this one and now if we look in the action details uh we see that somehow this notepad application tried to run um some powershell uh scripts which are a partial code rather which doesn't make a whole lot of sense that shouldn't be what's what's happening here so

we see a process abnormally injected code into another process unexpected code maybe running in the target process memory injection is often used to hide malicious code execution within a trusted process so here we see the uh the miter attack technique process injection and uh and and we clearly know what's what's taking place the attacker is using notepad as a method of injecting this uh this powershell process uh and running this powershell process so let's take a look over here in the hunting uh menu and we're going to go find out how we can prevent the attacker from getting into the network the same way again okay so let's go to the get started tab and over here um

let's uh scroll down a little bit now we can have saved queries so the query that we ran before in um uh the to to identify the machines that had barbara moreland's pc uh or or that had barbara moreland's email address associated with it we can save queries if we want to so let's take a look at what what's already been saved here we see one for mtp demo outside email with url to log on and file download so we've already got a query saved here that takes the action that when an email is sent from outside the organization after the email has been received and it tries to steal the credentials of an end user

we want to we want to identify that type of action with this query so let's run the query and we see the the results that came back here so we see one here with this the email subject of important mcgc's and blah blah blah

okay so we get some information here that ann hill and her mailbox received the same email and so what we want to do is take a section of this query insert the indicator of compromise that identifies this actor and create a custom detection to let the secops team know that when that actor comes back in the network we're able to identify them so that ioc that they're going to use is the domain that the actor sent the emails containing malware from which was juno.com so basically this allows the query to run the background and create an alert when the same activity happens again so let's uh create a detection rule and we'll call this rule

add email to endpoint select frequency every three hours so this alert is running every three hours we'll call the alert title that email to endpoint as well we'll click on the severity and we'll call it medium select the category and here we can define what type of um category it is we can define the miter technique that we uh consider this to be so we're considering a spear phishing with attachment and then we'll just put a brief description in here

and then click next a check for looking in the mailboxes recipient email address all right david we gotta we gotta cut you off here um it's 11 30 and it's time for our next speaker okay