Microsoft Threat Experts is a new managed threat hunting service in Windows Defender Advanced Threat Protection. It provides proactive hunting, prioritization, and additional context and insights that further empower Security operations centers (SOCs) to identify and respond to threats quickly and accurately. Get more details about the service here: Announcing Microsoft Threat Experts.
Below we describe case studies for the 2 capabilities of Microsoft Threat Experts. These case studies illustrate the depth of the intelligence and the value of the service to customers’ security defenses and overall security posture.
Targeted attack leveraging ALPC zero-day
Advanced AI-driven prioritization prompted one of our expert hunters to investigate a machine showing clear signs of human adversary-based activities including credential theft, network and machine reconnaissance, and persistence through overwriting a printer driver to achieve code execution within the spoolsv.exe system process.
During this investigation, it was determined that the technique used to run malicious code with SYSTEM privileges leveraged a ALPC zero-day vulnerability (CVE-2018-8440) publicly disclosed by a security researcher. Based on publicly available information about the vulnerability, Microsoft Threat Experts were able to hunt for instances of the attack and help protect customers before a security update was made available.
Attack chain of a sophisticated threat leveraging the ALPC zero-day exploit
By providing not only the full context of the attack but an understanding of the attacker’s capabilities, Microsoft Threat Experts empowered customers to quickly and accurately respond to this advanced threat within their network. Using this analysis, we also published a Threat Analytics report to help protect other Windows Defender ATP customers.
Suspicious alert on newly registered domain
A customer inquired on the root cause and how to respond to a Windows Defender ATP alert highlighting suspicious communication with a newly registered domain originating from the Microsoft-signed binary MSIExec.exe. This type of attacker behavior is represented by MITRE ATT&CK techniques T1086 – PowerShell and T1043 – Commonly Used Port.
Our experts quickly discovered a sequence of “living off the land” techniques designed to obfuscate and to confuse understanding of the attack chain. Through the rich telemetry provided by Windows Defender ATP, our experts were able to help the customer better understand and respond to the complex sequence of polymorphic activities originating from a Trojanized bundled application.
Due to the complexity of the attack chain, tracing back the root cause of the incident required a deep level of understanding that Microsoft Threat Experts are uniquely positioned to provide. After the investigation, our security experts pinpointed how the malicious activity occurring from MSIExec.exe was the result of a scheduled task created days earlier, with an execution delay to avoid detection. To help protect Windows Defender ATP customers from these types of threats in general, we took this analysis and published a Threat Analytics report on living-off-the-land binaries.
Sign up for preview
More information about Microsoft Threat Experts is available here: Announcing Microsoft Threat Experts.
Windows Defender ATP customers can now apply for preview through the Windows Defender Security Center. We will contact customers via email to confirm their participation.
Here are some useful references:
- View the targeted attack notification
- Configure email alert notification
- Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization
- Sample questions to ask Microsoft Threat Experts
Not yet reaping the benefits of Windows Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.
Windows Defender ATP team