Hunting for network signatures in Microsoft Defender for Endpoint

Published May 27 2022 06:00 AM 5,797 Views
Microsoft

Security researchers Meitar Pinto and Thiago Marques also contributed to this post.

 

As we continue to evolve our Microsoft 365 Defender capabilities to enable security teams to analyze enriched incidents with alerts and events from diverse sources, a critical factor is user feedback. After hearing our customers’ feedback, one of the core asks was around Defender for Endpoint providing deeper visibility into network traffic sources and destinations on protected endpoints

 

Previously, Microsoft Defender for Endpoint introduced device discovery as part of our Threat and Vulnerability Management component. Device discovery employs both active (standard discovery) and passive (basic discovery) methods to discover devices. The passive method listens to traffic and surfaces new devices to the Microsoft 365 Defender portal.

 

We have recently expanded advanced hunting capabilities to expose network traffic details with device discovery. The DeviceNetworkEvents table has a new ActionType field value called NetworkSignatureInspected to present that information. This new action type adds information about network traffic detected in the AdditionalFields fields, as shown in figure 1.

 

cventour_0-1653501590551.png

Figure 1. AdditionalFields details from a NetworkSignatureInspected action type from the DeviceNetworkEvents advanced hunting table

 

AdditionalFields generally captures more information beyond what the standard network event would store. In the case of the new NetworkSignatureInspected action type, you have SignatureName, SignatureMatchedContent, and SamplePacketContent.

 

  • SignatureName – Refers to the name of the traffic pattern that was detected. Current signatures detect traffic such as SSH, HTTP, DNS, and FTP. You can see the unique signatures detected in your environment by running the following hunting query:

 

DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected"
| where Timestamp > ago(7d)
| extend SigName = parse_json(AdditionalFields).SignatureName , SigMatchedContent = parse_json(AdditionalFields).SignatureMatchedContent, SigSampleContent = parse_json(AdditionalFields).SignatureSampleContent
| distinct tostring(SigName)

 

 

The query outputs the distinct signature types like so:

 

cventour_1-1653501844600.png

Figure 2. Distinct signature types from NetworkSignatureInspected action type, found in AdditionalFields

 

  • SignatureMatchedContent – This field presents the actual traffic payload that triggered the signature detection. Depending on the signature, this field might contain plain text data, encoded data, or hex values. Examples of possible values that can appear in the SignatureMatchedContent field are listed below:

SignatureName

SignatureMatchedContent

HTTP_Client

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?11791a66b4e4cedd HTTP/1.1

DNS_Request

r%E9%01%00%00%01%00%00%00%00%00%00%06eu-v20%06events%04data%09microsoft%03com

r%E9%01%00%00%01%00%00%00%00%00%00%06eu-v20%06events%04data%09microsoft%03com

SMB_Client

%00%00%00%E8%FESMB

 

  • SamplePacketContent – In this field, you can find additional traffic payload content that has been captured. Depending on the signature, this might reflect the SignatureMatchedContent value or other offsets within the same network connection.

 

Here are a few scenarios where you can use the NetworkSignatureInspected action type in advanced hunting:

 

  • Flag weak SSH protocol usage:

 

DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected"
| where Timestamp > ago(7d)
| extend SigName = parse_json(AdditionalFields).SignatureName, SigMatchedContent = parse_json(AdditionalFields).SignatureMatchedContent, SigSampleContent = parse_json(AdditionalFields).SignatureSampleContent
| where SigName == 'SSH'
| where SigMatchedContent == 'SSH-1'
| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort

 

 

  • Find network events that occurred on non-standard ports

 

DeviceNetworkEvents 
| where ActionType == "NetworkSignatureInspected" 
| where Timestamp > ago(7d)
| extend json = parse_json(AdditionalFields)
| project LocalIP,LocalPort,RemoteIP,RemotePort,SignatureName = tostring(json.SignatureName),SignatureMatchedContent = tostring(json.SignatureMatchedContent),SamplePacketContent = tostring(json.SamplePacketContent)
// Looks for SMB_Client signatures on ports other than 445 and 139
|where (SignatureName == "SMB_Client" and LocalPort !in(445,139) and 
// Looks for DNS Requests on non-standard ports. 
RemotePort !in(445,139)) or (SignatureName == "DNS_Request" and LocalPort !in(53,137,5353,5355) and RemotePort !in(53,137,5353,5355))

 

 

  • Find what DNS servers are used by clients:

 

DeviceNetworkEvents 
| where ActionType == "NetworkSignatureInspected" 
| where Timestamp > ago(7d)
|extend json = parse_json(AdditionalFields)
|project LocalIP,LocalPort,RemoteIP,RemotePort,SignatureName = tostring(json.SignatureName),SignatureMatchedContent = tostring(json.SignatureMatchedContent),SamplePacketContent = tostring(json.SamplePacketContent)
|where SignatureName == "DNS_Request" and RemotePort == 53
|summarize dcount(LocalIP) by RemoteIP

 

 

  • Find executable files that were downloaded over HTTP:

 

DeviceNetworkEvents 
| where ActionType == "NetworkSignatureInspected" 
| where Timestamp > ago(7d)
| extend json = parse_json(AdditionalFields)
| project LocalIP,LocalPort,RemoteIP,RemotePort,SignatureName = tostring(json.SignatureName),SignatureMatchedContent = tostring(json.SignatureMatchedContent),SamplePacketContent = tostring(json.SamplePacketContent)
| where SignatureName == "HTTP_Client" 
| where SignatureMatchedContent has ".exe"

 

 

We hope this new signature data can help you hunt for suspicious network events in a more granular way to better streamline your hunting activities. We  look forward to hearing your feedback about these new capabilities. Stay tuned for more signatures to be released over time!

 

1 Comment
Co-Authors
Version history
Last update:
‎May 26 2022 01:03 PM
Updated by: