Scribd Logo
Upload

Welcome to Scribd!

  • 130 views

    TR18 AD MSFT Defence at Scale

    Uploaded by

    keepzthebeez
    This document discusses defending Microsoft environments at a large scale. It outlines the Microsoft security stack in Windows 10, including defenses like Windows Defender, Device Guard, and Credential Guard. It proposes collecting event data from many devices and cloud environments at large volumes. The document also discusses using the MITRE ATT&CK framework and the Microsoft security stack to implement a defense model based on detection, prevention, and analyzing telemetry data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    TR18 AD MSFT Defence at Scale

    Uploaded by

    keepzthebeez
    130 views31 pages
    This document discusses defending Microsoft environments at a large scale. It outlines the Microsoft security stack in Windows 10, including defenses like Windows Defender, Device Guard, and Credential Guard. It proposes collecting event data from many devices and cloud environments at large volumes. The document also discusses using the MITRE ATT&CK framework and the Microsoft security stack to implement a defense model based on detection, prevention, and analyzing telemetry data.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses defending Microsoft environments at a large scale. It outlines the Microsoft security stack in Windows 10, including defenses like Windows Defender, Device Guard, and Credential Guard. It proposes collecting event data from many devices and cloud environments at large volumes. The document also discusses using the MITRE ATT&CK framework and the Microsoft security stack to implement a defense model based on detection, prevention, and analyzing telemetry data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    130 views31 pages

    TR18 AD MSFT Defence at Scale

    Uploaded by

    keepzthebeez
    This document discusses defending Microsoft environments at a large scale. It outlines the Microsoft security stack in Windows 10, including defenses like Windows Defender, Device Guard, and Credential Guard. It proposes collecting event data from many devices and cloud environments at large volumes. The document also discusses using the MITRE ATT&CK framework and the Microsoft security stack to implement a defense model based on detection, prevention, and analyzing telemetry data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 31

    Defending Microsoft

    environments at scale
    Vineet Bhatia (@ThreatHunting)
    15 Mar 2018
    Agenda
    • Introduction and Background
    • Microsoft security stack in Windows 10
    • Defense model based on MITRE ATTACK and the Microsoft stack
    • Event data collection at scale and the role of telemetry
    • Security stack in the cloud (Azure, Office365)
    • Q&A

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 2


    Introduction
    • Vineet Bhatia
    • Focus on Threat Detection, Prevention and Response
    • Pharma, Retail, Banking and Aviation industries

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 3


    Problem statement
    1. Declutter the number of agents on endpoints.
    2. Remove dependencies on point solutions.
    3. Implement security outside traditional network boundaries.

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 4


    Microsoft security stack in Windows 10

    Windows Defender SmartScreen Credential Guard Enterprise Cert. Pinning Memory Protections
    • App and website reputation checks. • Virtualization of security process. • Protect internal domains from chaining. • Control Flow Guard: http://bit.ly/2DnSarz
    • Checks run when app is first run. • Protects secrets such as NTLM and KTGT. • Pin X509 Cert and Public Key to the root. • Code Integrity Guard
    • Only performed on downloaded apps. • Windows 10 and Server 2016 covered. • Arbitrary Code Guard: http://bit.ly/
    • E.g.: Detects crypto-currency miners: 2Gryeam
    http://bit.ly/2tPVeNM • Windows Defender Exploit Guard: http://
    bit.ly/2p7EDjS
    • Previously limited to DEP/SEHOP/ASLR.

    Device Guard Windows Defender Untrusted Font Blocking Others


    • UEFI Secure Boot – Firmware tampering.
    • Windows Defender Application Control. • Antivirus and Antimalware protection. • Font Parsing Attacks (Elevation of Priv.)
    • Early Launch Anti-Malware (ELAM) –
    http://bit.ly/2FK5A32 • Base Product + Enhanced WDATP. • Fixed in Windows 10 Build 1703
    Starts antimalware prior to the start of
    • Previously Code Integrity Policies. • First came out in Windows 8. (AppContainer)
    non-MSFT drivers.
    • Application whitelisting with kernel • Exploit Guard launched Dec 2017 (see • Merged with Kernel Pool Protections.
    • Device Health Attestation (DHA) –
    protection. memory protections).
    Posture assessment prior to connectivity.
    • Windows 10 and Server 2016 covered. • Application Guard: http://bit.ly/2Ir1HBW

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 5


    MITRE ATT&CK Framework

    Privilege Escalation Credential Access Lateral Movement Collection Command and Control
    Enter system as unpriv user Obtaining access or control of Enable access to other systems Gather sensitive files from Adversary communication on/
    and exploit vulnerabilities to system, domain or service on network with/wout network prior to exfil. to target network.
    become SYSTEM or Admin. creds. execution of tools.

    Persistence Defense Evasion Discovery Execution Exfiltration


    Maintaining access through a Avoiding detection by setting Gain knowledge of internal Execute adversary controlled Remove files and information
    system interruption such as attributes across all other system or network. code on local or remote from target network.
    restart, loss of credentials, phases. system.
    etc.

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 6


    Framework
    Windows
    Firewall

    Discovery

    Collection
    C2 / Exfil Lateral
    Movement
    Device
    Guard Credential
    Guard
    Defense
    Evasion
    Credential WEF
    Single Platform Access

    Approach
    Privilege
    Escalation

    Persistence
    WDATP
    Execution
    ATA /
    Azure ATP
    Exploit
    Guard
    Higher efficiency controls Defender
    Application Smart-
    Guard screen

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 7


    Data collection and analysis at scale
    25,000 PCs
    6,000 Servers
    50% remote users across 300 cities

    Multiple cloud environments

    10 Terabytes of Log Data Everyday


    If everything seems under control, you’re not going fast enough. – Mario Andretti

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 8


    What doesn’t work at scale?
    “Trying is the first step towards failure.”
    - Homer Simpson (1987)

    • Multiple Agents on the same host may result in duplicate or conflicting


    • telemetry.
    Collecting logs in the cloud as you would inside your datacenter.
    • Waiting for machines to “phone-in” to the corporate network after being on the road.

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 9


    A working defense model
    Detection Prevention
    Windows Event Forwarding OR Sysmon Windows Firewall
    OR Windows Defender ATP*
    Advanced Threat Analytics OR Azure Windows Defender ATP / Exploit
    ATP Guard / Application Guard
    Azure Identity P1/P2 Credential Guard
    SIEM of choice Device Guard
    * Windows 10 and Server 2016 only

    What will you find? What will you stop?


    Host Based Activity Anomalous traffic in/out of the host
    Network Activity To/From Hosts Exploits from running at any priv.
    level
    Anomalous use of credentials / priv. All untrusted code on your PCs
    Visibility into what happens on the Ability to run Mimikatz on your
    cloud domain (Maybe)
    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 10
    Living off the land – For Defense

    https://twitter.com/
    mattifestation/status/
    972654625554771969

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 11


    How does this come together?
    • Single Inventory of assets using SCCM, baselining using DHA.
    • Ability to collect basic forensic data rapidly using Sysmon.
    • Uniform logging standard across the enterprise using GPMC.
    • Ability to identify identity and privilege misuse using MS-ATA.
    • Collect telemetry from all endpoints using Windows Defender.

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 12


    Basic environment hygiene

    https://twitter.com/
    ncsc/status/
    973122188344791040

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 13


    Windows 10 Telemetry Data
    • Diagnostic data sent by Windows system is configured in the GPO.
    • Privacy considerations should be studied before configuration.
    • See More on Telemetry Privacy at: http://bit.ly/2DnmzpS
    WD ATP on Windows 10 (1709) and later:
    • Perform investigations, optimize firewall and bitlocker configurations and investigate identities.
    • Perform automated remediation (WDATP AIRS).
    • Write custom Threat Hunting rules and query endpoints for matches (WDATP Advanced Hunting).

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 14


    Use Case: Monitoring
    • Option 1: Windows Event Forwarding
    • Option 2: Sysmon XML
    • Option 3: Windows Defender ATP
    Example: Investigating Privilege Escalation on your network
    https://attack.mitre.org/wiki/Privilege_Escalation

    Mapping MITRE ATT&CK to Windows hunting techniques:


    • Roberto Rodriguez Threat Hunting Playbook:
    https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/attack_matrix/windows

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 15


    Example: Investigating Privilege Escalation
    Option 1: Using Windows Event Forwarding

    Privilege Scenarios Windows Event Log Sysmon See Also


    Escalation Event IDs

    SETHC.exe
 4656 - A handle to a Registry key or Sysmon Event ID Enable registry auditing: auditpol /
    Accessibility UTILMAN.exe
 Registry Value was requested.
 12,13 and 14 - set /subcategory:”Registry” /
    Features OSK.exe
 4657 - A registry value was modified.
 Registry success:enable
    Magnify.exe
 4660 - An registry key or value was deleted Modification
    Narrator.exe
 or removed.

    DisplaySwitch.exe
 4663 - An attempt was made to access a
    AtBroker.exe Registry key or Registry Value


    Look for changes to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microso
    ft\Windows NT\CurrentVersion\Image File
    Execution Options\{name of the
    executable}

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 16


    Example: Investigating Privilege Escalation
    Option 1: Using Windows Event Forwarding

    Privilege Scenarios Windows Event Log Sysmon See Also


    Escalation Event IDs

    CreateProcess
 4657 - A registry value was modified.
 Sysmon Event ID https://github.com/threathunting/


    AppCert CreateProcessAsUser
 
 12,13 and 14 - sysmon-config/blob/master/
    DLLs CreateProcessWithLoginW
 Look for changes or any new DLL locations Registry sysmonconfig-export.xml#L400
    CreateProcessWithToken being added to: Modification
    W
 HKEY_LOCAL_MACHINE\System\CurrentCon
    WinExec trolSet\Control\Session
    Manager\AppCertDlls

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 17


    Example: Investigating Privilege Escalation
    Option 1: Using Windows Event Forwarding

    Privilege Scenarios Windows Event Log Sysmon See Also


    Escalation Event IDs

    User32.dll loading 4657 - A registry value was modified.
 Sysmon Event ID 7 - The AppInit DLL functionality is
    AppInit DLLs unknown third party DLL 
 DLL (image) load by disabled in Windows 8 and later
    Look for changes or any new DLL locations process
 versions when secure boot is
    being added to: 
 enabled.

    HKEY_LOCAL_MACHINE\Software\Microsoft User32.dll loading 

    \Windows NT\CurrentVersion\Windows OR unusual DLL should https://github.com/threathunting/
    HKEY_LOCAL_MACHINE\Software\Wow6432 trigger sysmon-config/blob/master/
    Node\Microsoft\Windows sysmonconfig-export.xml#L260

    NT\CurrentVersion\Windows 

    Also consider running this on all
    systems and pulling data back for
    analysis: 

    autorunsc -a d -h -m -s -u *

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 18


    Example: Investigating Privilege Escalation
    Option 2: Using Event Data (Sysmon Query)$

    If you pooled your data into a SIEM of your choice, you could search event data using structured
    queries.
    Example, on Splunk, you could search the sysmon index :
    `sysmon` EventCode=1 (
    (ParentImage=*\\winlogon.exe 
    ((Image=*\\Utilman.exe CommandLine=*/debug*) OR (Image=*\\sethc.exe (CommandLine=*sethc.exe 211*
    OR CommandLine=*sethc.exe 101*)))) OR (ParentImage=*\\utilman.exe (CommandLine=*osk.exe* OR
    CommandLine=*magnify.exe* OR CommandLine=*narrator.exe* OR CommandLine=*DisplaySwitch.exe* OR
    CommandLine=*AtBroker.exe*))) | table _time, host, Image, CommandLine, ParentProcessId, ParentImage,
    ParentCommandLine, User

    $:Requires Sysmon and config XML to be configured:


    https://github.com/threathunting/sysmon-config

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 19


    Example: Malware Hunting
    Option 2: Using Sysmon data in Splunk

    Credits to @jarrettp and @m_haggis


    for providing the base fork of this
    config.
    https://github.com/MHaggis/sysmon-
    splunk-app
    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 20
    Example: Investigating Privilege Escalation
    Option 3: Windows Defender ATP (Advanced Hunting)

    Windows Defender Advanced Threat Protection (WDATP) includes a new module that allows you to
    query the backend schema directly. This capability is called Advanced Hunting. See: http://bit.ly/2p6O8zI

    //Accessibility_features_misuse_detection
    RegistryEvents
    | where EventTime >= ago(1h)
    | where RegistryKey contains
    @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Image File Execution Options”
    | project InitiatingProcessParentName, InitiatingProcessFileName,
    ActionType, RegistryKey, RegistryKeyValueType, RegistryKeyValueName,
    RegistryKeyValueData, RegistryKeyPreviousKeyValueName,
    RegistryKeyPreviousKeyValueData

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 21


    Example: Investigating Privilege Escalation
    Option 3: Windows Defender ATP (Advanced Hunting)

    //AppCertDLL_detection
    RegistryEvents
    | where EventTime >= ago(1h)
    | where RegistryKey contains @"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
    Manager\AppCertDlls”
    | project InitiatingProcessParentName, InitiatingProcessFileName, ActionType, RegistryKey,
    RegistryKeyValueType, RegistryKeyValueName, RegistryKeyValueData,
    RegistryKeyPreviousKeyValueName, RegistryKeyPreviousKeyValueData

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 22


    Example: Investigating Privilege Escalation
    Option 3: Windows Defender ATP (Advanced Hunting)

    //AppInitDLL_detection
    RegistryEvents
    | where EventTime >= ago(1h)
    | where RegistryKey contains @"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    NT\CurrentVersion\Windows" or RegistryKey contains
    @"HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
    | project InitiatingProcessParentName, InitiatingProcessFileName, ActionType, RegistryKey,
    RegistryKeyValueType, RegistryKeyValueName, RegistryKeyValueData,
    RegistryKeyPreviousKeyValueName, RegistryKeyPreviousKeyValueData

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 23


    Example: Investigating Privilege Escalation
    Option 3: Windows Defender ATP (Advanced Hunting)

    More hunting scripts and scenarios:

    Gibin John:
    https://github.com/beahunt3r/Windows-Hunting

    Examples:
    • Detecting Impacket Use in the Organization.
    • Identifying BITSAdmin execution.
    • ProcDump execution.

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 24


    Example: Investigating Privilege Escalation
    Option 3: Windows Defender ATP (Advanced Hunting)

    More hunting scripts and scenarios:

    Gibin John: https://github.com/beahunt3r/Windows-Hunting

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 25


    Automated Remediation
    Option 3: Windows Defender ATP (AIRS)

    Alert Triggered via WDATP telemetry data (Step 1)

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 26


    Automated Remediation
    Option 3: Windows Defender ATP (AIRS)

    Invoke automated artefact


    collection and triage (Step 2)

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 27


    Automated Remediation
    Option 3: Windows Defender ATP (AIRS)

    Approve remediation in
    workflow (Step 3)

    Machine fully
    remediated (Step 4)

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 28


    Microsoft security stack in the cloud
    • Cloud App Security: http://bit.ly/2FACJlR

    • Azure Active Directory Identity Protection: http://bit.ly/2p7nczH


    • Azure ATP: http://bit.ly/2Im3sR2

    15 Mar 2018 Vineet Bhatia (@ThreatHunting) 29


    Further Reading
    What Where
    Microsoft Docs – Windows 10 Defense http://bit.ly/2FE52Mi
    The evolution of MITRE ATT&CK http://bit.ly/2tLDR0s
    Windows Defender ATP Tech Community http://bit.ly/2GnwNKa
    Threathunting using Sysmon http://bit.ly/2InacxP
    Azure ATP Tech Community http://bit.ly/2Im3sR2
    Questions?

    Defending Microsoft
    environments at scale
    Vineet Bhatia (@ThreatHunting)

    https://github.com/threathunting/Published-
    Content

    You might also like