CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)

Defending Microsoft
environments at scale v1.2
Vineet Bhatia (@ThreatHunting)
04 Jun 2018
Poland, 2018

Agenda
• Introduction and Background
• Microsoft security stack in Windows 10
• Defense model based on MITRE ATTACK and the Microsoft stack
• Event data collection at scale and the role of telemetry
• Security stack in the cloud (Microsoft 365)
• Q&A
04 Jun 2018 Vineet Bhatia (@ThreatHunting) 2

Introduction
• Vineet Bhatia
• Focus on Threat Detection, Prevention and Response
• Pharma, Retail, Banking and Aviation industries

Problem statement
1. Declutter the number of agents on endpoints.
2. Remove dependencies on point solutions.
3. Implement security outside traditional network boundaries.

Microsoft security stack in Windows 10
Windows Defender SmartScreen
• App and website reputation checks.
• Checks run when app is first run.
• Only performed on downloaded apps.
• E.g.: Detects crypto-currency miners:
http://bit.ly/2tPVeNM
Credential Guard
• Virtualization of security process.
• Protects secrets such as NTLM and KTGT.
• Windows 10 and Server 2016 covered.
Enterprise Cert. Pinning
• Protect internal domains from chaining.
• Pin X509 Cert and Public Key to the root.
Device Guard
• Windows Defender Application Control.
http://bit.ly/2FK5A32
• Previously Code Integrity Policies.
• Application whitelisting with kernel
protection.
• Windows 10 and Server 2016 covered.
Windows Defender
• Antivirus and Antimalware protection.
• Base Product + Enhanced WDATP.
• First came out in Windows 8.
• Exploit Guard launched Dec 2017 (see memory
protections).
• Application Guard: http://bit.ly/2Ir1HBW
Untrusted Font Blocking
• Font Parsing Attacks (Elevation of Priv.)
• Fixed in Windows 10 Build 1703 (AppContainer)
• Merged with Kernel Pool Protections.
Memory Protections
• Control Flow Guard: http://bit.ly/2DnSarz
• Code Integrity Guard
• Arbitrary Code Guard: http://bit.ly/2Gryeam
• Windows Defender Exploit Guard:
http://bit.ly/2p7EDjS
• Previously limited to DEP/SEHOP/ASLR.
Others
• UEFI Secure Boot – Firmware tampering.
• Early Launch Anti-Malware (ELAM) – Starts
antimalware prior to the start of non-MSFT
drivers.
• Device Health Attestation (DHA) – Posture
assessment prior to connectivity.

MITRE ATT&CK Framework
Privilege Escalation
Enter system as unpriv user
and exploit vulnerabilities to
become SYSTEM or Admin.
Persistence
Maintaining access through a
system interruption such as
restart, loss of credentials, etc.
Credential Access
Obtaining access or control of
system, domain or service
creds.
Defense Evasion
Avoiding detection by setting
attributes across all other
phases.
Lateral Movement
Enable access to other
systems on network
with/wout execution of tools.
Discovery
Gain knowledge of internal
system or network.
Collection
Gather sensitive files from
network prior to exfil.
Execution
Execute adversary controlled
code on local or remote
system.
Exfiltration
Remove files and information
from target network.
Command and Control
Adversary communication
on/to target network.

Framework
Privilege
Escalation
Execution
Persistence
Credential
Access
Lateral
Movement
Collection
C2 / Exfil
Defense
Evasion
Discovery
Windows
Firewall
Credential
Guard
WEF
WDATP
ATA /
Azure ATP
Application
Guard
Defender
Smart-
screen
Exploit
Guard
Device
Guard
Single Platform
Approach
Higher efficiency controls

Data collection and analysis at scale
25,000 PCs
6,000 Servers
50% remote users across 300 cities
10 Terabytes of Log Data Everyday
Multiple cloud environments
If everything seems under control, you’re not going fast enough. – Mario Andretti

What doesn’t work at scale?
“Trying is the first step towards failure.”
- Homer Simpson (1987)
• Multiple Agents on the same host may result in duplicate or conflicting telemetry.
• De-Dup and normalization efforts multiply at scale.
• Collecting logs in the cloud as you would inside your datacenter.
• Use native capabilities such as Azure log analytics, Cloudwatch, Cloudtrail etc.
• Waiting for machines to “phone-in” to the corporate network after being on the road.
• Design log collection efficiently. Log drift is a problem at scale.

A working defense model
What will you find? What will you stop?
Host Based Activity Anomalous traffic in/out of the host
Network Activity To/From Hosts Exploits from running at any priv. level
Anomalous use of credentials / priv. All untrusted code on your PCs
Visibility into what happens on the cloud Ability to run Mimikatz on your domain
(Maybe)
Detection Prevention
Windows Event Forwarding OR Sysmon
OR Windows Defender ATP*
Windows Firewall
Advanced Threat Analytics OR Azure ATP Windows Defender ATP / Exploit Guard /
Application Guard
Azure Identity P1/P2 Credential Guard
SIEM of choice Device Guard
* Windows 7 (RC), Windows 10 and Server 2016 only

Living off the land – For Defense
https://twitter.com/mattifestation/
status/972654625554771969

How does this come together?
• Single Inventory of assets using SCCM, baselining using DHA.
• Ability to collect basic forensic data rapidly using Sysmon.
• Uniform logging standard across the enterprise using GPMC.
• Ability to identify identity and privilege misuse using MS-ATA.
• Collect telemetry from all endpoints using Windows Defender.

Device Health Attestation
in Windows 10
• Early Boot Vulnerability – MS15-111
• Detect Secure Boot Tampering (Jailbreak techniques)
• Leverage Trusted Platform Module (TPM)
• DHA allows enterprises to validate health data remotely and based on hardware attestation
• Built upon Windows 8 fundamentals (Secure Boot, Measured Boot, ELAM and TPM Attestation)
• Detect configuration parameters such as:
• BitLockerStatus
• SecureBootEnabled
• ELAMDriverLoaded
• CodeIntegrityEnabled
• VSMEnabled
• Etc.
• Validating devices against the DHA cloud is free of cost.
• More Information: https://bit.ly/2xFNGPH

Basic environment hygiene
https://twitter.com/ncsc/
status/973122188344791
040

Windows 10 Telemetry Data
• Diagnostic data sent by Windows system is configured in the GPO.
• Privacy considerations should be studied before configuration.
• See More on Telemetry Privacy at: http://bit.ly/2DnmzpS
• Perform investigations, optimize firewall and bitlocker configurations and investigate identities.
• Perform automated remediation (WDATP AIRS).
• Write custom Threat Hunting rules and query endpoints for matches (WDATP Advanced Hunting).
WD ATP on Windows 10 (1709) and later:

Use Case: Monitoring
• Option 1: Windows Event Forwarding
• Option 2: Sysmon XML
• Option 3: Windows Defender ATP
Example: Investigating Privilege Escalation on your network
https://attack.mitre.org/wiki/Privilege_Escalation
Mapping MITRE ATT&CK to Windows hunting techniques:
• Roberto Rodriguez Threat Hunting Playbook:
https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/attack_matrix/windows
Start Fresh or building on fundamentals:
• Florian Roth Sigma Project:
https://github.com/Neo23x0/sigma/tree/master/rules

Example: Investigating Privilege
Escalation
Privilege
Escalation
Scenarios Windows Event Log Sysmon
Event IDs
See Also
Accessibility
Features
SETHC.exe
UTILMAN.exe
OSK.exe
Magnify.exe
Narrator.exe
DisplaySwitch.exe
AtBroker.exe
4656 - A handle to a Registry key or Registry
Value was requested.
4657 - A registry value was modified.
4660 - An registry key or value was deleted or
removed.
4663 - An attempt was made to access a
Registry key or Registry Value
Look for changes to:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionImage File
Execution Options{name of the executable}
Sysmon Event ID 12,13
and 14 - Registry
Modification
Enable registry auditing: auditpol /set
/subcategory:”Registry” /success:enable
Option 1: Using Windows Event Forwarding

Escalation
Privilege
Escalation
Event IDs
See Also
AppCert DLLs CreateProcess
CreateProcessAsUser
CreateProcessWithLoginW
CreateProcessWithTokenW
WinExec
Look for changes or any new DLL locations being
added to:
HKEY_LOCAL_MACHINESystemCurrentControl
SetControlSession ManagerAppCertDlls
Sysmon Event ID 12,13
and 14 - Registry
Modification
https://github.com/threathunting/sysmo
n-config/blob/master/sysmonconfig-
export.xml#L400

Escalation
Privilege
Escalation
Event IDs
See Also
AppInit DLLs User32.dll loading unknown
third party DLL
Look for changes or any new DLL locations being
added to:
HKEY_LOCAL_MACHINESoftwareMicrosoftWi
ndows NTCurrentVersionWindows OR
HKEY_LOCAL_MACHINESoftwareWow6432No
deMicrosoftWindows
NTCurrentVersionWindows
Sysmon Event ID 7 -
DLL (image) load by
process
User32.dll loading
unusual DLL should
trigger
The AppInit DLL functionality is disabled
in Windows 8 and later versions when
secure boot is enabled.
https://github.com/threathunting/sysmo
n-config/blob/master/sysmonconfig-
export.xml#L260
Also consider running this on all systems
and pulling data back for analysis:
autorunsc -a d -h -m -s -u *

Escalation
Option 2: Using Event Data (Sysmon Query)$
If you pooled your data into a SIEM of your choice, you could search event data using structured queries.
Example, on Splunk, you could search the sysmon index :
`sysmon` EventCode=1 (
(ParentImage=*winlogon.exe
((Image=*Utilman.exe CommandLine=*/debug*) OR (Image=*sethc.exe (CommandLine=*sethc.exe 211* OR
CommandLine=*sethc.exe 101*)))) OR (ParentImage=*utilman.exe (CommandLine=*osk.exe* OR
CommandLine=*magnify.exe* OR CommandLine=*narrator.exe* OR CommandLine=*DisplaySwitch.exe* OR
CommandLine=*AtBroker.exe*))) | table _time, host, Image, CommandLine, ParentProcessId, ParentImage,
ParentCommandLine, User
$: Requires Sysmon and config XML to be configured:
https://github.com/threathunting/sysmon-config

Example: Malware Hunting
Option 2: Using Sysmon data in Splunk
Credits to @jarrettp and @m_haggis for
providing the base fork of this config.
https://github.com/MHaggis/sysmon-
splunk-app

Escalation
Option 3: Windows Defender ATP (Advanced Hunting)
Windows Defender Advanced Threat Protection (WDATP) includes a new module that allows you to
query the backend schema directly. This capability is called Advanced Hunting. See: http://bit.ly/2p6O8zI
//Accessibility_features_misuse_detection
RegistryEvents
| where EventTime >= ago(1h)
| where RegistryKey contains
@"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionImage File Execution Options”
| project InitiatingProcessParentName, InitiatingProcessFileName, ActionType,
RegistryKey, RegistryKeyValueType, RegistryKeyValueName,
RegistryKeyValueData, RegistryKeyPreviousKeyValueName,
RegistryKeyPreviousKeyValueData

Escalation
//AppCertDLL_detection
RegistryEvents
| where RegistryKey contains @"HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession
ManagerAppCertDlls”
| project InitiatingProcessParentName, InitiatingProcessFileName, ActionType, RegistryKey,
RegistryKeyValueType, RegistryKeyValueName, RegistryKeyValueData, RegistryKeyPreviousKeyValueName,

Escalation
//AppInitDLL_detection
RegistryEvents
| where RegistryKey contains @"HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows" or RegistryKey contains
@"HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows NTCurrentVersionWindows"
| project InitiatingProcessParentName, InitiatingProcessFileName, ActionType, RegistryKey,
RegistryKeyValueType, RegistryKeyValueName, RegistryKeyValueData, RegistryKeyPreviousKeyValueName,

Escalation
More hunting scripts and scenarios:
Gibin John:
https://github.com/beahunt3r/Windows-Hunting
Examples:
• Detecting Impacket Use in the Organization.
• Identifying BITSAdmin execution.
• ProcDump execution.
Florian Roth:
https://github.com/Neo23x0/sigma/blob/devel-sigmac-wdatp/tools/sigma/backends.py#L854
• Beta branch in public - devel-sigmac-wdatp
• https://github.com/Neo23x0/sigma/tree/master/rules

Escalation
More hunting scripts and scenarios:
Gibin John: https://github.com/beahunt3r/Windows-Hunting

Automated Remediation
Option 3: Windows Defender ATP (AIRS)
Alert Triggered via WDATP telemetry data (Step 1)

Invoke automated artefact collection
and triage (Step 2)

Approve remediation in
workflow (Step 3)
Machine fully
remediated (Step 4)

Security Stack in the Cloud
Microsoft 365
Identity
• Azure Advanced Threat Protection
• Azure Active Directory
Apps and Data
• Exchange Online Protection
• Office365 Advanced Threat
Protection
• Office365 Threat Intelligence
Devices
• Windows Defender Advanced
Threat Protection (WDATP)
• Microsoft Cloud App Security
Infrastructure
• Azure Security Center
Source: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/24/securing-the-modern-workplace-with-microsoft-365-threat-protection-part-1/

Threat Detection in the Cloud
Office365 ATP
• User Receives Emails
• User Opens Attachment
• User clicks on a URL
Azure ATP
• Reconnaissance
• Brute force Accounts
• Lateral Movement
• Domain admin
Azure Security Center
• Triage
• Prioritization of alerts
Windows Defender ATP
• Exploitation
• Installation
• Command and Control
Azure Log Analytics
• Logging and Monitoring
• Azure Security Center

What Where
Microsoft Docs – Windows 10 Defense http://bit.ly/2FE52Mi
The evolution of MITRE ATT&CK http://bit.ly/2tLDR0s
Windows Defender ATP Tech Community http://bit.ly/2GnwNKa
Threathunting using Sysmon http://bit.ly/2InacxP
Azure ATP Tech Community http://bit.ly/2Im3sR2
Further Reading

Questions?
Vineet Bhatia (@ThreatHunting)
Defending Microsoft
environments at scale
https://github.com/threathunting/Published-Content

CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)

More Related Content

What's hot (20)

Similar to CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia) (20)

Recently uploaded (20)

CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)