[vc_row content_placement=”middle”][vc_column width=”2/3″][vc_wp_text]

[xyz-ips snippet=”metadatatitle”]

[/vc_wp_text][vc_empty_space][/vc_column][vc_column width=”1/3″][vc_wp_text][xyz-ips snippet=”metadatatime”]

[/vc_wp_text][/vc_column][/vc_row][vc_row content_placement=”middle”][vc_column width=”2/3″][vc_column_text]

For almost every organization security is important, no matter that we are talking about physical security or digital. This fact won’t be written over neither the type of the organization/company nor the size of it. In the digital world often we make the mistake that we lay back behind the safety of firewall, antivirus and email filers. And not caring about the education of our employees in information security. A call of attention that some moves what can cause:

  • Opening a phishing email
  • Allowing hidden macros in word or excel documents to run
  • Browsing on compromised websites during working hours

Because if that happens no matter that we have expensive equipment or all the employee education, everything was for nothing.

[/vc_column_text][/vc_column][vc_column width=”1/3″][/vc_column][/vc_row][vc_row][vc_column][vc_separator][/vc_column][/vc_row][vc_row content_placement=”middle”][vc_column width=”2/3″][vc_column_text]

But what can we do or what is the solution for detecting threats like these ones?

Threat hunting fulfill this request perfectly. It’s a practise where analyst is searching for anomalies in the network. It can be a continuous URL connection, a powershell script run, or a deleted malware. In case of successful intrusion the attacker can stealthily remain in a network for months as they quietly collect data, look for confidential material, or obtain login credentials that will allow them to move laterally across the environment. After the attacker is successful in evading detection and an attack has penetrated an organization’s defenses, many organizations lack the advanced detection capabilities needed to stop the advanced persistent threats from remaining in the network.

Free tools can server as solutions, for example: Maltego CE, YARAm AIEngine vagy YETI. But there are commercial solutions also, for example: Sqrrl, Mantix4, Infocyte HUNT. But it can be a perfect tool for this purpose Microsoft Defender Advanced Threat Protection EDR (Endpoint Detection and Response) what we will use in the further scenario. With it’s help events can be proactively monitored, which allow us investigating interesting events or entities.

With the actual scenario an intern user who is part of the organization received a spear phishing email and with it the credential was leaked. Also the word attachment what contained a macro was allowed to run by the user. It’s a general risk factor that the users commonly are not educated for scenarios like this one. Even less attention is placed on the interns. Because most of the time they are only part of the company for a short period of time, for example 1-2 weeks or 1-2 months.

With help of MDATP we can see the events generated by the user and also the asset details about the incident.[/vc_column_text][/vc_column][vc_column width=”1/3″][/vc_column][/vc_row][vc_row][vc_column][vc_separator][/vc_column][/vc_row][vc_row content_placement=”middle”][vc_column width=”1/2″][vc_column_text]

With further drill down we see more details about the incident. Investigating the indicator and the incident graph what gives more insight about the attack flow.

As for threat hunting perspective, inside MDATP Kusto query language can support us as advanced threat hunting tool. Because we are assuming that the attack was not yet ended we are searching for further powershell execution in our environment.

[/vc_column_text][vc_column_text]


DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
or ProcessCommandLine has "IEX"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by Timestamp

 

[/vc_column_text][/vc_column][vc_column width=”1/2″][vc_single_image image=”30522″ img_size=”full”][/vc_column][/vc_row][vc_row][vc_column][vc_separator][/vc_column][/vc_row][vc_row content_placement=”middle”][vc_column width=”1/2″][vc_column_text]

  • Users continuous education in this topic
  • No administrator privilege for users
  • Disable powershell on user asset

[/vc_column_text][/vc_column][vc_column width=”1/2″][vc_single_image image=”30523″ img_size=”medium” alignment=”center”][/vc_column][/vc_row]

Pin It on Pinterest