Windows Defender ATP: harnessing the collective intelligence of the InfoSec community for threat hunting

The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware crypto worm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

It propagated through EternalBlue, an exploit in older Windows systems released by The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry’s spread was from organizations that had not applied these or were using older Windows systems that were past their end-of-life.

How can you detect malware such as WannaCry using Windows Defender ATP? By leveraging the collective intelligence of the InfoSec community to find the relevant information, threat hunting queries and convert them to WDATP advanced hunting queries.

WannaCry is still a threat

Danny Palmer from ZDNet writes: “Over 18 months after it first caused chaos by encrypting hundreds of thousands of PCs around the world, WannaCry ransomware is very much still alive, with the percentage of infection attempts actually higher than it was this time last year.

Figures from Kasperky Lab’s threat report for Q3 2018 say that WannaCry tops the list of the most widespread crypto families, with attempted attacks against 74,621 of the security firm’s users across the globe between July and September.

WannaCry ransomware attacks have risen as a proportion of the total attack compared with the same period last year: in Q3 2017, Kaspersky figures suggest WannaCry accounted for 17 percent of ransomware attacks, but now that figure has grown to account for 29 percent of all users targeted by ransomware.”

InfoSec community

So where do we go if we want more technical background about the WannaCry attack, or any attack for that matter?

For general information about what attack vectors adversaries use, you should check out MITRE’s ATT&CK framework. It has great in-depth information about attack surfaces, the technologies used, and how attackers are (mis)using these. They even have a great attack navigator.

Many of the threat detection vendors will publish information on specific attacks on their website, such as Symantec wrote for WannaCry. There is a lively discussion about threats on Twitter. And there are community places such as Reddit and IRC where you can engage with others to see what they already found out about the attack.

What you’ll quickly find out, is that the InfoSec community is all about sharing information. John Lambert, distinguished engineer at Microsoft’s Threat Intelligence Center, summarizes nicely why knowledge sharing is important:

“There is an African verb: if you want to go fast, go alone — if you want to go far, go together”.

I encourage you to view John’s talk at MITRE ATT&CKcon where he talks about advancing InfoSec towards an open, shareable, contributor-friendly model of speeding InfoSec learning.

SIGMA to the rescue

You’ve found the information you need, but need the threat hunting queries to go with them. One option would be to write them yourself. However, there are many people out there sharing theirs already. For instance, on GitHub you’ll find lots of them. There you’ll also find one for WannaCry.

But how do you get them to work in Windows Defender ATP? Well, SIGMA to the rescue!

Sigma, created by Florian Roth and Thomas Patzke, is an open source project to create a generic signature format for SIEM systems. The common analogy is that Sigma is the log file equivalent of what Snort is to IDS and what YARA is for file-based malware detection.

However, unlike Snort and Yara, support for Sigma does not have to be built into each application. Sigma acts as the proverbial “Rosetta stone” for all platform-specific query languages and enables translation across a myriad of search languages. For example:

Sigma → ArcSight
ArcSight → Sigma → Splunk
Splunk → Sigma → ArcSight
QRadar → Sigma → ArcSight

Conversions are constantly being added to the library with Elasticsearch, Kibana, GrayLog, LogPoint, Splunk, QRadar, ArcSight, and Qualys already supported. Earlier this year, support for Windows Defender ATP was added! This represents a revolutionary new approach to threat detection that dramatically reduces the overhead associated with traditional development of correlation rules and searches.

WDATP advanced hunting queries

Let’s take SIGMAC, Sigma’s command line converter tool, and use it to convert the WannaCry .yml file to something Windows Defender ATP can process.

python sigmac — target wdatp .\win_mal_wannacry.yml

Don’t want to install the SIGMAC tool? SOCPrime has built a web-based version of it called uncoder.io which essentially does the same thing. Need to edit the Sigma rule to tailor it to your specific requirements? No problem, you can use SIGMA’s free UI editor for that.

Let’s execute the rule in WDATP’s advanced hunting interface:

We can save the rule in My Queries for later usage:

Microsoft also maintains a repo containing sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. Just simply paste a sample query into the query builder and run the query.

PRO TIP: if you get syntax errors, try removing empty lines introduced when pasting. If a query returns no results, try expanding the time range.

To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. Microsoft published this article that lists all the available columns, along with their data types and descriptions.

Here’s an advanced query for you to try out:
print a = ‘🤖🎃😀🦓🙏🐾🌫🐨😜🌤🔬’
| extend a=extractall(‘(.)’, a)
| mvexpand a
| extend a=substring(base64_encodestring(strcat(‘abracadabra’, a)), 19)
| summarize Message=replace(@’[+]’, ‘ ‘, replace(@’[[“,\]]’, “”, tostring(makelist(a))))

Let me know in the comments below what it says 😊

Turning it into a detection rule

Based on this query, you can create a custom detection rule. When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours.

PRO TIP: since the detection automatically runs every 24 hours, it’s best to query data in the last 24 hours.

The detection rule will create an Alert if the query returned a result. This can be access through the regular Windows Defender ATP web interface, but also programmatically through Microsoft’s Intelligent Security Graph. Or use WDATP’s native SIEM connector functionality to push the alerts forward to your favorite SIEM system.

Windows Defender ATP

Windows Defender is quickly becoming one of the best threat protection solutions out there.

As Tanmay Ganacharya points out: “Recently, anomaly detection algorithms in the WDATP pointed to multiple PDF files that only Microsoft detects. Blocked by ML models that assimilate signals from MTP, exemplifying how comprehensive telemetry, signal-sharing & ML allows Microsoft to deliver best-in-class security.”

Sean Friart of Avanade writes about their WDATP deployment: “We have more than 10,000 endpoints on our network, with a limited number of SecOps team members preventing, detecting, investigating and responding to threats. With Windows Defender ATP, we have full, near-real-time, historical, end-to-end visibility across those endpoints.”

Want to try Windows Defender ATP yourself? You can sign up for a 60-day trial here.

— Maarten Goet, MVP & RD