Threat Detection and Response (TDR) with Defender for Endpoint

Occasional Contributor

IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurrence IP addresses.

In directory levels  you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/6.txt  holds IP addresses that can be found on 6 or more blacklists).

The levels feeds are provided as links to files in .txt format so you can use the externaldata operator for KQL to pull in the Blacklist in real-time for KQL queries.

  • In this KQL we are going to use DeviceNetworkEvents The DeviceNetworkEvents table in the advanced hunting schema contains information about network connections and related events.

 

let IPSUMTI =  (externaldata(TI_ip:string)
[
h@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt",
h@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt",
h@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt",
h@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt",
h@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"
] 
with (format = "txt",ignoreFirstRecord=true)
| distinct TI_ip);
IPSUMTI
| join (DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess","InboundConnectionAccepted","ConnectionFound")
) 
on $left.TI_ip == $right.RemoteIP
| project Timestamp,LocalIP,RemoteIP,DeviceId,DeviceName,RemoteUrl,InitiatingProcessFileName,ActionType,ReportId

 

Custom detection rule

isolation.JPG

Impacted entities

The next step is to map the impacted entities from the data provided in the query. In this case I use DeviceId to map the device impacted.

impct.JPG

 

Actions

In the actions you can define multiple actions that should be taken when this event occurs.

  • Isolate device in “Full mode” blocks of any network connectivity other than communication to the Defender for Endpoint service. In “Selective mode” everything but traffic to the Defender for Endpoint service, Outlook, Microsoft Teams, and Skype for Business is blocked. The users is still able to do some work and also it does not cut of any direct communication channels to the end-user.
  • Run antivirus scan does exactly that, it triggers a full scan of the affected device
  • Initiate investigation start an automated investigation and everything found in this investigation is also added to the created incident
  • Restrict app execution hinders the attacker to start additional payload on the device. Only software signed by a Microsoft issued certificate can be started on the device.

ac.JPG

Scope

In this you are going to set for the device group that you want in your environment.You can choose

1.  All devices

2. Specifies device groups

Here I have selected "All devices"

dev.JPG

The last step is to check your custom detection in the summary and submit it.

rule.JPG

The custom detection can be found and changed under Hunting -> Custom detection rules

 

Attackers are always changing tactics, using evasion techniques and tools such as virus total to go undetected.They live for finding the needle in the haystack. The thrill of tracking down an attacker or malware that is deployed and talking back to a C2 server that was unknown is thrilling. And it does pay off.

Nothing will be detected 100% of the time by tools. That’s why we use our Defender for Endpoint and ours skills to build a mental model that helps to identify abnormalities to determine if you should go down the rabbit hole or not.

 

0 Replies