Threat Hunting with MTP: The Sixth Sense

Could you imagine living without your senses? Some people have lost or never had one or even two senses during their life and somehow manage to live with it. Anyway, nobody can live without any sense. Senses are our connection to the world. They help us figure what’s going on and then enable us to make appropriate decisions. When your senses can gather more information, you can make better decisions.

But this is no automatism. The pure data-flood is no guarantee for good decisions and appropriate reactions. If you walk a dark street at night and somebody comes across you, your brain will immediately check the environment for more information. What’s the posture of that guy? Where is he looking at? How far away is the next busy street that promises more safety? Are you alone or do you have your child with you?

The key here is to corelate this information to get a preferably accurate image of reality. In threat hunting, we are doing exactly the same.

Microsoft Threat Protection is adding more and more information, you can query to find out what is happening.

In this post we will check how this can be utilized in a real-world scenario

Imagine, a commonly used software in your company has a vulnerability. Let’s take an example that was already used in the one or other post on this blog – sorry VLC 😉

Let’s assume you just learned about this new vulnerability in in VLC. Attackers can exploit it by sending .mkv files to your users via Email. Pretty easy – pretty dangerous.

So, from a blue-team perspective, which information would we want to have now asap?

Here is a wish-list:

  1. A list of all devices that have this vulnerability
  2. A list of all users that uses those devices
  3. If these users received .mkv files recently
  4. If these users opened those .mkv files

Ok, let’s see how we can hunt for that to sharpen our senses. The first thing we do is to hunt for devices that have this vulnerability:

(Note: you will find a link to the source code of the whole query at the end of this article)

Of course you can finetune this to better meet your needs and to get more search performance and less noise. The more explicit you can be – the better:

| where SoftwareVendor == “videolan”
| where SoftwareName == “vlc_media_player”
| where CveId == “CVE-XXXX-YYYY”

“all_computers_with_vlcvln” is our ‘variable’ and we declare it with ‘let’. At the end of the statement we need a semicolon. As you can see, we filter for vulnerabilities in our environment that contain “vlc” and making then a list of all device names with that vulnerability.

Next, we want to check which users belong to the vulnerable devices:

We query ‘DeviceInfo’ that holds ‘LoggedOnUsers’. LoggedOnUsers is a JSON in an array (“[]”)

and therefore, we need to do a multi-value expand (mvexpand) before we can parse it with ‘parsejson’.

Next, we want to know which of those users received a .mkv recently via Email:

For that we need the Email address of the user. Luckily the Advanced Hunting Team just added a new table (‘AccountInfo’) to the Hunting Scheme, with which we can map AccountName to EmailAddress:

We integrate that into our query:

You might have recognized before: it is important to work with the tolower() function when comparing values with lists (and of course you have to make sure to also lower the values before you insert them into a list). With that we have a list of the Email addresses of all affected users.

With that we can query the Office ATP namespace for all Emails received by those recipients that contained an attachment with an .mkv file:

Here you see the whole query:

Now, if you want to see if those affected users also ran the .mkv file you can take the first part of our query and add a query for file events:

You will find this query in my brand new GitHub repository.

I hope you enjoyed the hunt! More to come! Thanks for reading.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.