Detect malicious Raspberry Pi or Arduino devices via MDE device discovery and Enterprise IoT

Derk van der Woude
5 min readDec 30, 2022

IoT (Internet of Things) devices are often unsecure by default (e.g. default admin username/password and/or not up-to-date software with vulnerabilties). Also these type of devices can be malicious (e.g. Kali Linux installed), easily hidden (small form factor) and connected to the corporate network (and attached to the internet via built-in 4G/5G modem) so the network can be compromised from the in- or outside of the network.

Microsoft Defender for Endpoint | Device Discovery

Microsoft Defender for Endpoint (MDE) has a feature called Device Discovery (device discovery is included in the MDE P2 or M365 E5 (Security) license, the Enterprise IoT add-on will be described later in the document) which is an agentless scanning feature of all network connected devices.

Each (or selected via tags) MDE device can scan the network (basic mode = passive scan or standard mode = active scan) and discover managed (Windows, Mac, iOS & Android) and unmanaged (e.g. network and/or IoT) devices.

Device discovery settings can be found via: Microsoft 365 Defender -> Settings -> Device discovery

  • Discovery setup to enable Basic (passive) or Standard (active) discovery. Initial setting is Basic discovery which is automatically switched to Standard discovery after 14 days
  • Exclusions to disable IP or subnet networks from Standard scanning

excluded networks will still be scanned in basic mode!

  • Monitored networks to enable (monitor) or disable (ignore) networks from being scanned (intelligence is used to include corporate networks and exclude home networks)
  • Data sources can use other (third party) data sources for device discovery (Corelight is supported atm.)
  • Authenticated scans are authenticated (e.g. SNMP Community string, NoAuthNoPriv, AuthNoPrive or AuthPriv) scans of network devices (e.g. switch or access point) via a dedicated scan device (MDE device with MdatpScanAgentSetup.msi software installed).
  • Enterprise IoT is a premium feature / plan (license) to enable the features: Risk (threat)- and Severity (vulnerability) levels IoT devices. Wil be described in more details in the next chapters.

Detection

Detection of (malicious) IoT devices can be configured via a Custom detection rule, e.g. the example I use (please modify for your needs) is to detect Raspberry Pi or Arduino devices which can be installed with Kali Linux.

Go to Hunting -> Advanced hunting (use the KQL example below)

DeviceInfo
| where Timestamp > ago(1d)
| where DeviceCategory == "IoT"
| where (Vendor contains "Raspberry" or Vendor contains "Arduino")
| summarize arg_max(Timestamp, *) by DeviceId
| distinct (DeviceName), DeviceId, DeviceSubtype, Vendor, OSPlatform, OSVersion, ReportId ,Timestamp

and select Create detection rule and edit some setting like Alert details (e.g. severity), impacted entities (DeviceId), Actions and Scope (All devices).

When a new IoT device is detected an alert -> incident is triggered in the Microsoft 365 Defender portal.

Enterprise IoT

The Enterprise IoT is plan is licensed (per set of 100 devices) via the settings of Device discovery and requires an Azure subscription

The Enterprise IoT is plan (license) enables the features: Risk (threat)- and Severity (vulnerability) levels of IoT devices.

Enterprise IoT sensor

The Enterprise IoT sensor is a Linux host (physical or virtual) with two network cards (one connected to the corporate network and one connected to the TAP/Span port of the enterprise network switch in promiscious mode to listen for network activity including device discovery, threats and vulnerabilities).

After configuring the hardware and connect the device to the network(s), install Linux (Ubuntu 22.04 in our example).

Onboard EIoT sensor

The sensor can be configured and deployed via Microsoft Defender for IoT portal.

Where Microsoft Defender for IoT (OT sensor) is a pre-configured deployment (.ISO), the Enterprise IoT sensor requires an Operating System (Linux) installed. Both sensors cannot be combined on the same device

In the section Management -> Sites and sensors -> Onboard sensor -> EIoT the sensor can be configured (name and subscription) and the deployment /activation script can be copied and used on the Linux machine.

During the deployment configure the interface for monitoring (connected to the TAP / Span network interface)

When the deployment is done, the sensor is visible in the Microsoft Defender for IoT portal under the section Sites and sensors -> Enterprise-network.

The sensor will scan (listen) the network for (computer & mobile, network and IoT) devices which are visible in the Devices section of MDE

and Device inventory of Microsoft Defender for IoT

I hope this blogs explains device discovery and enterprise IoT and the value it brings to secure the network.

You cannot protect what you do not know

--

--