Next-Gen Device Incident Investigation & Threat Hunting with Custom Plugins

 

 

 

 

 

The Security Copilot custom plugin empowers you to extend Security Copilot functionalities beyond the preinstalled and third-party plugins. This blog introduces two custom plugins that you can install and use in your environment. An incident investigation case study will be used to demonstrate the features of these two custom plugins. Additionally, a step-by-step guide will walk you through the setup process, which only takes a few clicks.

The first custom plugin, “Custom Plugin Defender Device Investigation”, provides the following skills:

Title: File - Files Downloaded

• Description: Lists files downloaded to this device in specific timeframe within past 30 days.

Title: File - Last 15 Days Files Downloaded

• Description: Lists files downloaded to this device in the last 15 days.

Title: File - Any Device Events Related To This File

• Description: Display device events that include the filename, in specific timeframe.

Title: File - Sensitive Files Events

• Description: Lists sensitive files events on this device in the last 10 days.

Title: File - File Origin

• Description: Display the origin or source of the file, in past 30 days.

Title: Process - Process Executions Summary

• Description: Summary of process executions on this device in specific timeframe.

Title: Process - Detailed Process Executions

• Description: Detailed all process execution events on device within a brief period, e.g. an hour.

Title: Process - Detailed Process Events

• Description: Detailed specific process execution events on device within a defined time frame.

Title: Lateral Movement - RDP To Device

• Description: Inbound RDP connection to this device in a specific timeframe.

Title: Lateral Movement - Logon To Device

• Description: Logon events from other devices to this device in a specific timeframe.

Title: Lateral Movement - Logons To Device In Last 10 Days

• Description: Logon events from other devices to this device in the last 10 days.

Title: Network - Outbound Network Events

• Description: Device outbound network events, including attempts and failed connections.

Title: Network - Inbound Network Events

• Description: Device inbound network events and attempts in a specific timeframe.

Title: Network - Device Listening Ports

• Description: Displays device listening ports in specific timeframe.

Title: Device Events - Scheduled Task Events

• Description: Scheduled task events seen on a device in a specific timeframe.

Title: Device Events - User Account Events

• Description: User account events seen on a device in a specific timeframe.

Title: Device Events - User Account Added Or Removed From Local Group

• Description: User account added or removed from local group in a specific timeframe.

Title: Suspicious Activities - ASR Rules Triggered

• Description: ASR rules that were triggered on this device in the past 7 days.

Title: Suspicious Activities - ASMSI Script Detection

• Description: Script detection from Windows Antimalware Scan Interface (AMSI) in past 7 days.

Title: Suspicious Activities - Exploit Guard Events

• Description: Exploit Guard events detected on this device in past 7 days.

Title: Suspicious Activities - Network Protection Events

• Description: Network Protection events triggered on this device in the past 7 days.

Title: Suspicious Activities - Device Tampering Attempts

• Description: Possible tampering attempts on this device in the past 7 days.

 

The second custom plugin, “Custom Plugin Defender Device Info”, offers specific device information often needed during an investigation. Its skills include:

Title: Device OS Information

• Description: Latest device OS information with the device name as the input.

Title: Device Current and Past IPs

• Description: The current and past IPs assigned to this device in the last 10 days.

Title: Device Users and Login Counts

• Description: List users logged onto this device and the number of times, within the last 10 days.

Title: Device Alert Information

• Description: Alerts observed on this device in the last 30 days.

Title: Device Installed Applications

• Description: Currently installed applications on this device.

Title: Device Vulnerability Information

• Description: Vulnerabilities identified on this device.

Title: Device Critical Vulnerabilities

• Description: Vulnerability with CVSS score 7 or higher, or exploit is publicly available.

 

Both custom plugins are available for download from the Security Copilot GitHub repository at this link. Step-by-step guides on how to install the custom plugin will be covered later in this blog.

Let's start by demonstrating some of the capabilities of the two custom plugins through a case study of a Microsoft Defender XDR incident.

 

For this incident, the Security Copilot incident summary reveals that the threat actor used a credential phishing attack to gain initial access. Over the course of the incident, several instances of lateral movement, credential access, and privilege escalation were detected, impacting users and devices across the network. Key activities included the use of tools like Mimikatz and Rubeus, suspicious remote sessions, and evidence of system manipulation.

From the Security Copilot incident summary, you learn that the attack started when user “jonaw” clicked on a malicious URL in an email. Following that, a suspicious remote session was detected on device “vnevado-win10v”. To investigate the suspicious remote session on the device, one way is to leverage the “Lateral Movement – Logon To Device” skill from the “Custom Plugin Defender Device Investigation” plugin in Security Copilot's standalone mode. This skill presents the logon events that occurred on the device within the specified timeframe. The logon events include console logons, Remote Desktop logons, remote registry logons, scheduled task logons, and more.

You can invoke this skill by navigating to the System Capabilities menu option from the prompt bar. To get to the System Capabilities menu option, select the Prompts option from the prompt bar, as shown next.

Then the System Capabilities menu option appears.

This skill is located under the plugin named “CUSTOM PLUGIN DEFENDER DEVICE INVESTIGATION”, as shown next.

Once this skill is selected, you will need to fill in three input fields: the device name, start time, and end time. For this case study, the alert for the suspicious remote session was triggered for device vnevado-win10v, occurring at approximately 9:42 UTC on November 22^nd 2024. For the investigation, let's set the start time to 2024-11-22 9:30 UTC and the end time to 9:50 UTC, as shown in the next screenshot.

The next screenshot demonstrates that Security Copilot executes this skill.

Using the “Export to Excel” option in the Copilot response, you can download then manually review the logon events. Upon inspection, it is discovered that for device vnevado-win10v, there is a long list of logon events involving different user accounts within the 20-minute time frame. A screenshot showing a portion of the logon events is displayed next.

 

You can then ask Security Copilot with this prompt: “Can you review the previous output of the logon events for the device vnevado-win10v between 2024-11-22 09:30 and 2024-11-22 09:50, summarize the logon events and also point out anything suspicious”. The next screenshot displays the Security Copilot prompt along with the beginning of its response.

The logon event summary provided by Security Copilot is thorough but a bit long. At the end, it includes the identified suspicious logon activities:

• There are several instances where logon attempts are followed by successful logons within milliseconds, which could indicate automated or scripted logon attempts.
• There are 10 logon events with an "Unknown" logon type, which is unusual and may warrant further investigation.
• The account debrab has one logon event where it is marked as a local admin, which should be verified for legitimacy.

For your reference, the last section of the Security Copilot’s logon event summary is shown in the next screen capture.

After reviewing the logon event summary for device vnevado-win10v, let’s find out who might be the owner of this device. The “Device Users and Login Counts” skill from the “Custom Plugin Defender Device Info” plugin provides a summary of how many times each user has logged into the device over the past 30 days. Typically, the user with the most logins is likely the device owner.

Once the skill is executed for device vnevado-win10v, Security Copilot reports that “user jonaw has logged onto the device vnevado-win10v a total of 189 times in the last 30 days”, as shown in the next screen capture. This helps to identify user “jonaw” as the likely device owner, which in turn makes user “debrab” appear even more suspicious.

 

Let’s go back to the detailed logon events provided by Security Copilot earlier and take another look at user account “debrab”. The next screenshot shows the logon events for device vnevado-win10v, filtered to display only those associated with the user “debrab”. One notable observation is that the logon type for user “debrab” is either batch or unknown, which appears suspicious as well, especially with one batch logon with local admin privilege.

What is a batch logon type? You can ask Security Copilot for more insights. The next screenshot displays Copilot’s responses, which explains that a batch logon type is typically used for scheduled tasks.

The batch logon seems odd in this case. One of Security Copilot's key features is its ability to distinguish between normal and anomalous behavior in IT operations. In this case, let’s ask Security Copilot whether it’s common for someone with local admin privilege to log on to a device through a batch logon.

As seen in the previous screenshot, Security Copilot points out that the batch logon is unusual, as it is typically used for scheduled tasks or automated processes, not for interactive sessions by administrators. Security Copilot’s response further confirms that the batch logon events with user account “debrab” are suspicious. This information and the other Security Copilot observations can assist you in identifying the suspicious remote session detected on device “vnevado-win10v”.

 

The incident summary generated by Security Copilot not only mentions the detection of a suspicious remote session on device vnevado-win10v, but also reports the presence of suspicious files, including mimikatz.exe, rubeus.exe, xcopy.exe, and powershell.exe. The incident summary snippet is displayed next for reference.

Let’s now examine what occurred on the device involving these suspicious files. A quick and easy way to start the investigation is to check for files downloaded to the device and reviewing the device's process execution events around the time of the incident to identify anything suspicious.

Manually checking for downloaded files and examining process execution events can be time-consuming and labor-intensive. However, with the help of Security Copilot, these tasks can be performed more quickly and efficiently.

The “File - Files Downloaded” skill from the “Custom Plugin Defender Device Investigation” plugin can be used to quickly identify files that were downloaded onto a device within a specific time period. Then, the “Process - Process Executions Summary” skill from the same Security Copilot plugin can be used to list the processes that executed on the device during the same timeframe. You can then ask Security Copilot to analyze these processes to identify anything suspicious.

After the “File - Files Downloaded” skill executes, Security Copilot identifies a file named DomainDominance198.zip was downloaded to device vnevado-win10v.

Another thing to keep in mind is that not all the information from the Copilot findings is directly visible in the Security Copilot console. You can expand the output result within the console or export the findings to Excel for a clearer view of the additional details. For this investigation, you can then more thoroughly review the URL from which the file was downloaded, verify the file location through its folder path, and locate the user account associated with the download. The next screenshot displays these additional details seen in the Excel spreadsheet.

Then, the “Process - Process Executions Summary” skill provides a list of processes executed on the same device, vnevado-win10v, during the same period.

Instead of manually reviewing all 128 processes, you can ask Security Copilot to analyze the processes and flag any suspicious ones. In addition, it's worth mentioning earlier in the investigation, leveraging the Microsoft Entra plugin, Security Copilot reports that user account “jonaw” belongs to Jonathan Wolcott, an account executive in the Sales department.

With this information, let’s ask Security Copilot to identify any process execution that should typically not be carried out by someone outside of the IT department. Here is the Security Copilot prompt you can use: User “jonaw” is an account executive in the sales department, with this information, can you identify any processes that typically should not be carried out by someone outside of the IT department?

Security Copilot then identifies six suspicious processes and provides its reasoning along the way.

Once again, you can export the Security Copilot findings to Excel for a more thorough review. The next screenshot displays the results in Excel, with a more readable format.

 

Now that a few more suspicious processes have been identified, let's revisit the downloaded file, DomainDominance198.zip, to see if more details can be uncovered.

The skill, “File - Any Device Events Related To This File”, is part of the “Custom Plugin Defender Device Investigation” plugin in Security Copilot. It is designed to identify any device events or activities related to a specific file. It uses the filename as a keyword to filter and display only the device events containing this keyword within a defined time period. For this security incident, let's use this skill to search for device events containing the name of the downloaded file, DomainDominance198.

Upon reviewing the Security Copilot response exported to Excel, you can see that a new file, DomainDominance198.ps1, has been created in the same directory as DomainDominance198.zip.

 

In addition, the “File - File Origin” skill in the “Custom Plugin Defender Device Investigation” plugin provides details about a file's origin or source. It shows where the file came from, and any associated file or connection linked to it. In this case, as shown in the next screenshot, Security Copilot reveals that the file DomainDominance198.zip was downloaded from a specific URL.

And that the file DomainDominance198.ps1 is associated with file DomainDominance198.zip, as shown next.

The additional details in Security Copilot’s responses highlight the exact association, indicating that the File Origin Referrer URL for DomainDominance198.ps1 is DomainDominance198.zip, as shown in the next screen capture.

 

With these insights, let's use another Security Copilot skill to conduct a more in-depth examination of PowerShell execution events on device vnevado-win10v. The skill, “Process - Detailed Process Events”, is also part of the “Custom Plugin Defender Device Investigation” plugin. It retrieves detailed process execution events, including process command line information and the parent process execution details, for the specified process on a given device within a defined time frame.

When this skill is invoked, it requires four mandatory fields to be filled, as shown next.

Security Copilot then displays the PowerShell execution events identified on device vnevado-win10v within the specified timeframe of 2024-11-22 09:30 to 2024-11-22 10:30, as shown next.

From a more condensed text view of the responses from Security Copilot, a range of unusual or potentially harmful behaviors can be observed in the next screenshot. Some of these suspicious events are highlighted in yellow or displayed in bold in the next screenshot.

The process execution events retrieved include command line details and parent process, therefore you are able to see both the PowerShell execution and processes launched with PowerShell as the parent process. The suspicious processes, such as mimikatz.exe, Rubeus.exe, xcopy.exe, PxExec.exe, and others mentioned in the Security Copilot incident summary, are identified here, allowing you to quickly recognize the correlation.

Additionally, you can ask Security Copilot to assist you in reviewing the suspicious events. For instance, immediately after the xcopy command was used to copy the file “Rubeus.exe” to the remote device vnevado-win10b, a subsequent command involving “PsExec.exe” is observed in the detailed PowerShell execution events presented earlier by Security Copilot. The two command lines are shown in the next screen capture.

Consulting with Security Copilot reveals that “PsExec.exe” executed a command remotely on the device vnevado-win10b. This command launched “Rubeus.exe” to dump Kerberos tickets for the user “nestorw” and saved the output to C:\Temp\AdminTicket.txt. Security Copilot notes that this action indicates credential dumping and potential lateral movement within the network. The next screenshot shows the prompt along with part of the responses from Security Copilot.

As there are many other potentially harmful behaviors also observed in the detailed PowerShell execution events presented by Security Copilot earlier, you can submit each of these suspicious events to Security Copilot and ask for insights.

Downloading and Installing the Custom Plugins

The configuration files for the custom plugins can be downloaded from this link. Once you have the configuration file (in YAML format), here are the steps to upload and install it to your Security Copilot instance.

Step 1: Select the Sources icon in the Prompt bar.

Step 2: Scroll to the bottom of the Manage Sources page, within the Custom section, you'll find the "Add a plugin" option.

Step 3: Click on “Add plugin” and then choose “Copilot for Security plugin”, as illustrated in the next screenshot. 

Step 4: Click on “Upload file” to install configuration file, which is in YAML format.

Step 5: Click on Add. And voilà, the new custom plugin appears along with other plugins in the Manage sources section, as seen in the screen capture next.

Now you can start using the custom plugins and they will appear in the “System Capabilities” section.