Microsoft Threat Protection: going down the rabbit hole

Maarten Goet
Feb 24 · 6 min read
Image for post
Image for post

Recently, Microsoft announced the general availability of Microsoft Threat Protection (MTP). The new over-arching solution combines signals from Microsoft Defender ATP (endpoints), Office 365 ATP (email), Azure ATP (identity) and Microsoft Cloud App Security (apps) into one central portal.

Microsoft Threat Protection can automatically block attacks and eliminate their persistence to keep them from starting again, prioritize incidents for investigation and response, auto-heal assets and provides cross-domain hunting.

Unified hunting

Because the modern kill chain is evolving, there is a clear need to unify these signals and be able to see the bigger picture as threats are happening. Attacks are often orchestrated completely in the cloud and can also impact your hybrid environment.

Image for post
Image for post

Simulate a cross-product attack

Microsoft offers a sample script to simulate a cross-product attack, so that you can easily try out the new unified capabilities from Microsoft Threat Protection.

The scenario is a fileless PowerShell attack with process injection and SMB reconnaisance. It uses living-off-the-land techniques [1]

Image for post
Image for post

[1] https://cyware.com/news/lets-dig-deeper-on-how-cybercriminals-use-living-off-the-land-attack-tactics-cac5c132

Going down the rabbit hole

Let’s use the sample to learn some incident response investigation skills and let’s go down the rabbit hole to understand how the threats work under the cover.

The attack starts with a PowerShell script. The assumption is that a user might get tricked into running the script or that the script might be running from a remote connection to another computer from a previously infected machine — the attacker attempting to move laterally on the network.

When you first look at the PowerShell code, it might underwhelm you. Just one long line of code:

Looking deeper

When we closely examine the code, we see a reference to this URL: https://winatpmanagement.windows.com/client/management/static/MTP_Fileless_Recon.txt. Opening that link will give you a long string:

Image for post
Image for post

This is a Base64 encoded string (https://en.wikipedia.org/wiki/Base64), something you will encounter a lot more in your threat hunting career.

OK, what now?

Well, as a starting investigator, you might not have a utility belt full of tools yet. But even if you are an experience professional, you are likely using Cyberchef: https://github.com/gchq/CyberChef

Image for post
Image for post

Cyberchef is an open-source tool, released by the UK’s spy agency called GCHQ. The tagline is ‘Cyber Swiss Army Knife — a web app for encryption, encoding, compression and data analysis’.

Loading the Base64 encoded string into Cyberchef and running the decode ‘recipe’ will give you the following result:

Image for post
Image for post

Not very human readable, right? Going back to the PowerShell script reveals another clue:

Image for post
Image for post

Do you see it? Look closely: $xor, UTF8 and a text string. Aha! Apparently the decoded Base64 string is then parsed in UTF-8 format and XOR’d using a key called WinATP-Intro-Injection.

Let’s add that to the CyberChef recipe and see what we get:

Image for post
Image for post

Now we’re getting somewhere! We can finally read what the code is. Or can we? Looking a bit closer and scrolling down the code, reveals another rabbit hole: a long string that starts with s_shellcode and has a lot of 0x characters.

Let’s find that rabbit

The string reveals that it is a byte array because it starts with new byte[]. Let’s go back to our CyberSwiss Army Knife and see if we can decode it.

Image for post
Image for post

We get the code to be executed, that is somewhat readable. However if we add the ‘Strings’ and ‘Regular Expression’ function to our recipe we get some more clues:

Image for post
Image for post

Bingo! Apparently it uses WinHttp.dll for internet communications. Further down we find the IP address: 204.79.197.203. And we find a suspicious string called MyHovercraftIsFullOfEels.

Image for post
Image for post
I guess there is some Python in this malicious code. Monty Python ;-)

Apparently somebody is a Monty Python fan in the Microsoft Threat Protection team :-) https://www.urbandictionary.com/define.php?term=My%20hovercraft%20is%20full%20of%20eels

Information on the IP address

Microsoft’s threat intelligence center (MSTIC) released some really nice python-based tools called msticpy last year, and continues to develop and extend these: https://msticpy.readthedocs.io/en/latest/

Image for post
Image for post

Two functions from msticpy that are particularly useful for this hunt are GeoIPLookup and TILookup. With the first we get more information on the location of the IP address and who’s behind it. With the latter we can submit the IoC observable to sources such as VirusTotal to understand whether or not it has already been flagged as rogue.

At the time of writing only one engine classifies the IP address as Malware. We also see that the IP address lives on network AS8068 from Microsoft corp: https://www.peeringdb.com/net/7472

Image for post
Image for post

My Hovercraft is Full of Eels

Opening up the IP address in a browser shows a “maintenance” message. However, if we look more closely, we find a weird string at the end of the HTML:

Image for post
Image for post

We can safely assume that this is the command and control (C2) IP address and that the MyHovercraftIsFullOfEels string is used to signal that it is the payload “calling”.

Challenge: can you find out how the C2 channel works? Post your clues and/or solution in the comments below, and win a Microsoft Threat Protection sticker.

PRO TIP: Be careful with using VirusTotal and directly opening URL’s. During a real attack the adversary might learn that you are on to them. My good friend Marcus Bakker has written a blog about this: https://www.mbsecure.nl/blog/2018/9/opsec-for-blue-teams-part-1. As an analyst you can also approach this with dynamic analysis (i.e. sandbox), to quickly and effectively get information.

Active Directory

Going back to the decoded main PowerShell script, we find another piece of the puzzle: scanning of Active Directory. The script gets the current domain of the user:

[System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain()

It then queries each of the domain controllers using the NetSessionEnum function in Netapi32.dll:

Image for post
Image for post

Process Injection

In the main script we also find a C# function to inject a process into another process. It first launches the original process (notepad.exe in this example) and then injects it with the shellcode we saw earlier:

Conclusion

As you can see, incident response investigation can behard, quite laborious, you need to persevere and then put all the pieces of the puzzle back together to understand the bigger picture. And we haven’t talked about mapping the attack vectors back to the MITRE ATT&CK framework, researching what (if any) data was stolen and if that is sensitive information.

Luckily, Microsoft Threat Protection (MTP) does this for us. Azure ATP will see the domain reconnaissance, Microsoft Defender ATP will see the C2 communication and process injection and with the information from Cloud App Security, MTP is able to instantly paint a picture of data being exfiltrated.

Image for post
Image for post
Microsoft Threat Protection

And diving deeper into the alerts gives us the detailed information:

Image for post
Image for post
Microsoft Defender ATP and the command and control IP address

Happy hunting!

— Maarten Goet, MVP & RD

Image for post
Image for post

Wortell

Microsoft Cloud & Enterprise Security

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store