In spring 2019 I have written a post on how you can hack yourself to better understand the Microsoft Tools that help you defend modern attacks. Since then, several months and one MS Ignite have been passed, in other words: things have changed.

In this blog post, we are going to take a closer look into the brand new (currently in private preview) Microsoft Security Portal called “Microsoft Threat Protection” – and we will show –based on some hacking activity– what value it adds for you.

So, another Security Portal? Really? – you ask?
Yes – one to consolidate them all – Microsoft replies!

Let’s have a look:

The MTP portal consolidates alerts and hunting data from Office ATP, Microsoft Defender ATP, Azure ATP and Microsoft Cloud App Security.

And it provides you with a data schema for Office ATP and MDATP, which means you can hunt over both data sources:

(There is more in this portal, like secure score and so on, but today, we concentrate on alerts, incidents and hunting).

The Malware

To get familiar with MTP, we will build our own attack. Therefore, I have written a small tool in .net, that downloads a picture from a certain URL and displays it:

That’s at least the user’s perspective. But our tool (it is called jpgLoader) has an extra functionality – it reads some metadata from the loaded jpg (EXIF) in which you normally find the name of the photographer and the like – and … it executes what it finds in there 🙂

As you can see, it executes cmd.exe and adds the arguments listed under label1.Text. Before that, the EXIF metadata of the jpg is written to label1.Text, which means, whatever we want to execute, must be written to the EXIF comment – how do you do that? Exactly, photoshop is your friend:

With that, our little jpgLoader will execute powershell and write “Hello EmptyDC” to the console.

Such techniques are not new. They are used to circumvent sandboxes that try to detonate (execute) attachments of Email and so on and then check what the exe is doing. If we assume, that the picture that is loaded does not have any malicious command line in the EXIF description field, it might be delivered. With the jpg on a certain URL, you kind of have a command & control server. Whenever you change the description field with a command of your choice, the jpgLoader would execute it for you.

The Attack

Now, lets send the jpgLoader to to test-user:

That Email was delivered to junk mail and smart screen also makes it harder for the user to execute the attachment. As you see, the delivery method would need some tweaking, but that’s not the intention of this post – so let’s proceed with the first real command:

We are doing some Active Directory ‘reconnaissance’ here. We are checking the members of several groups. Then, we make a DNS lookup for the domain controller and the domain:

All those on-premises reconnaissance tactics can be found here.

Whenever we want to execute a new command, we must update the description field via photoshop and then upload the picture to our website from which the picture is loaded by the jpgLoader.

The last thing we do is to execute a powershell that downloads mimikatz (again, there would be more advanced ways of doing that, but for the sake of this demo – we are fine):

Microsoft Threat Protection

MTP can help here to get more visibility into our attack. The first thing we see, when we go to ‘incidents’ is a new incident that contains alerts from multiple sources – which is great:

When you click on the incident, you get the list of the alerts and also find the reason why those alerts are contained in the same incident:

Now, let’s go hunting!

When you click on the MDATP alert, you will be redirected to the alert in the MDATP portal:

As you can see, MDATP displays the exact command we have written into the EXIF information. We also see that powershell was started via CMD. If we check the timeline of the machine, we find an interesting entry shortly before the alert happened:

If we now search the timeline for jpgLoader we find another interesting entry saying, OUTLOOK.EXE has created jpgLoader.zip.

Let’s now use advanced hunting to dig deeper. We can gather more information about the sender or about the computers on which our little malware was copied to – depending on the query we highlight:

Conclusion

MTP combines alerts and hunting data from the most important Microsoft Cloud Security tools. The hunt-able data will be extended over the time. This is a first great step into consolidation. I am looking forward to seeing more in this area.

The query only shows a very simple sample of what is possible. You can also combine the tables in the schema by a ‘join’. I will dig deeper into advanced hunting and the possibilities with the query language kusto in my next blog post. So long, thanks for reading!