Non-interactive logins: minimizing the blind spot
review the new Microsoft Sentinel data streams for Azure Active Directory non-interactive, service principal, and managed identity logins. We will also share the new security content we built and updated in the product, which includes analytics rules for the detection part and workbooks to assist our customers to deal with this blind spot.
Automating the deployment of Sysmon for Linux đ§ and Azure Sentinel in a lab environment đ§Ș
Today, we celebrate 25 years of Sysinternals, a set of utilities to analyze, troubleshoot and optimize Windows systems and applications. Also, as part of this special anniversary, we are releasing Sysmon for Linux, an open-source system monitor tool developed to collect security events from Linux environments using eBPF (Extended Berkeley Packet Filter) and sending them to Syslog for easy consumption. Sysmon for Linux is built on a library also released today named sysinternalsEBPF which is built on libbpf including a library of eBPF inline functions used as helpers. In this post, I will show you how to automatically deploy a research lab environment with an Azure Sentinel instance and a few Linux virtual machines with Sysmon for Linux already installed and configured to take it for a drive and explore its coverage.
A Quick Guide on Using Sysmon for Linux in Azure Sentinel
Jessen Kurien - Microsoft Threat Intelligence Center Thanks to Kevin Sheldrake, Russell McDonald, Roberto Rodriguez and Ofer Shezaf for making this blog possible. Today, Linux is one of the fastest growing platforms on Azure. Linux based images form over 60% of Azure Marketplace Images. With Azure's support of common Linux distributions growing every day, the sophistication of cyber-attacks targeting Linux continues to grow. As part of the Sysinternals 25th anniversary, the Sysinternals team released a new Sysmon tool supporting Linux. Sysmon for Linux is an open-source Linux system monitoring tool that helps with providing details on process creations, network connections, file creations and deletions among other things. Sysmon for Linux is based on an eBPF (Extended Berkeley Packet Filter)-based technology targeted at in-kernel monitoring without making any changes to the kernel source code. By collecting the events it generates usingâŻAzure Sentinel and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. Sysmon for Linux can be used to analyze pre compromise and post compromise activity and when correlated with Azure Security Center (ASC)/Azure Defender (AzD) Linux detections this helps detecting the end-to-end attacker activity. In this blog post we will be taking a quick look at different log events made available by Sysmon for Linux that defenders can use to gather more information on the alerts triggered in Azure Sentinel. In Azure Sentinel, alerts can be viewed under Threat Management > Incidents: A summarized graphical threat view is also available under the Security Operations Efficiency tab: If there are potential events observed from sources that are malicious, Azure Sentinel will alert you on the map like below: Sysmon is supported by the Azure Sentinel and the https://docs.microsoft.com/en-us/azure/sentinel/normalization (ASim), ensuring Sysmon data is analyzed by built-in analytics, and easy to query. It is important to enable Sysmon Event collection for parsing and it can be configured by using below steps: Configure https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-syslog&data=04%7C01%7Cjekurien%40microsoft.com%7C9932e343fa954eed699508d9866f722c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637688635600075206%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=923PNDSTtpsj1koylMQCowpNJxeA%2Fg284KRI%2FwUxzR4%3D&reserved=0 using the Log Analytics agent. Deploy the https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FASimSysmonForLinux&data=04%7C01%7Cjekurien%40microsoft.com%7C9932e343fa954eed699508d9866f722c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637688635600075206%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=02nTm9r8cHN0%2BzHiNbizabUvL%2B8WCA1eYOFd6qbqgXo%3D&reserved=0. Or better yet, all https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAzSentinelASim&data=04%7C01%7Cjekurien%40microsoft.com%7C9932e343fa954eed699508d9866f722c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637688635600085167%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IonsC814ODLrxXe%2FjjQhaJwseb5Un0lF8o7BgGgL6yI%3D&reserved=0 parsers in a single package. Enriching the Investigation of an Alert: For example, letâs look at one of the alerts https://docs.microsoft.com/en-us/azure/security-center/alerts-reference that we had shown in the Incidents tab. This alert will trigger any cryptocoinmining download activity observed in the network. To investigate an alert like this using Azure Sentinel we need to use some of the events generated by Sysmon. Below are some of the events made available with Sysmon for Linux release. It's important to note that you need to set the different events that you want in the Sysmon config. More details on the steps can be found here under https://github.com/OTRF/OSSEM-DD/tree/main/linux/sysmon. For this blog, we have configured Sysmon to collect Process Create and Network Connection events that we have shown as part of a quick alert analysis. 1 â Process Create The process creation event provides extended information about a newly created process.⯠3 â Network Connect The network connection event logs TCP/UDP connections on the machine. The event also contains the source and destination host names IP (Internet Protocol) addresses, port numbers and IPv6 (Internet Protocol Version 6) status. 5 â Process Terminate The process terminate event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process. 9 â Raw Access Read The RawAccessRead event detects when a process conducts reading operations from the drive using theâŻ\\.\âŻdenotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device. 10 â Access Process The process accessed event reports when a process opens another process, an operation thatâs often followed by information queries or reading and writing the address space of the target process. 11 â File Create File create operations are logged when a file is created or overwritten. This event is useful for monitoring AutoStart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection. 23 â File Delete A file was deleted. Helpful event when attackers will try to cover their tracks and even to find anomalies from high privilege monitoring machines. Once the events are setup and being collected in Azure Sentinel, we can run a query like the one below to view all the process create logs that triggered around the time of the alert. We can see the download related to crypto mining activity along with other enumeration commands that can be used to learn more about what attackers did and help reveal more details of the attack. You can always set the time span in the âTime Rangeâ column in Azure Sentinel. vimProcessCreateLinuxSysmon | where Computer =~ "UBUNTU18ASCSYSMON" | summarize count () by Computer, CommandLine, Process We can also view the network connection logs around the timeline of the attack by using a query below to find the source of the attack and potential enumeration activity within the network. A similar approach can be taken to analyze attacker activity with the other logs sources made available using Sysmon for Linux. vimNetworkSessionLinuxSysmon | where Computer =~ "UBUNTU18ASCSYSMON"| summarize count () by Computer, Process, SrcIpAddr, DstIpAddr, Protocol If you would like to look at logs that triggered within a certain time span after or before the alert, a query like the one below might help in the analysis. In the below query we have joined the âPossible Cryptocoinminer download detectedâ alert with Process Create Linux Sysmon logs to reveal activities that occurred within 1 minute of the alert. A query like this can be applied with other alerts and log sources as well to investigate incidents previously shown under Incidents tab. SecurityAlert | where AlertName == "Possible Cryptocoinminer download detected" | summarize count () by WorkspaceSubscriptionId,CompromisedEntity= toupper(CompromisedEntity),TimeGenerated,AlertName | join kind=inner ( vimProcessCreateLinuxSysmon | project Computer = toupper(Computer), Timespan=TimeGenerated,CommandLine,Process ) on $left.CompromisedEntity==$right.Computer | extend TimeWindow = TimeGenerated + 01m | where Timespan between (TimeGenerated .. TimeWindow) | project TimeWindow,CompromisedEntity,AlertName,CommandLine,Process In our next blog post we will be covering how to use Sysmon for Linux to look for a specific MITRE ATT&CK technique and what that looks like in Azure Sentinel. Please also refer to our blog post covering Sentinel 2 Go and how to set up Sysmon for Linux with it. To conclude, the release of this tool is a significant step not only in the Linux open-source community space but also in the advancements to combat the rising sophistication of threats related to Linux attacks. As you start using and testing Sysmon for Linux tool, we encourage you to provide feedback along with details in the https://github.com/Sysinternals page. Your feedback is critical in Microsoft's mission of building better protection and defense against cyber criminals. References & Relevant Reading: https://docs.microsoft.com/en-us/sysinternals/downloads/ https://docs.microsoft.com/en-us/azure/sentinel/overview https://github.com/Azure/Azure-Sentinel https://docs.microsoft.com/en-us/azure/security-center/alerts-referenceProtect your organizations against QR code phishing with Defender for Office 365
QR code phishing campaigns have most recently become the fastest growing type of email-based attack. These types of attacks are growing and embed QR code images linked to malicious content directly into the email body, to evade detection. They often entice unwitting users with seemingly genuine prompts, like a password reset or a two-factor authentication request. Microsoft Defender for Office 365 is continuously adapting as threat actors evolve their methodologies. In this blog post weâll share more details on how weâre helping defenders address this threat and keeping end-users safe.
