image

Azure Cloud Detection

In this project, our primary focus is on fundamental Azure components, with the ultimate objective of establishing Microsoft Sentinel to identify attacker persistence. Here's a brief overview of our entire configuration:

1. Configure and deploy an Azure Resource Group containing the following:

  • Log Analytics Workspace
  • Virtual Machine running Windows 11
  • Virtual Network
  • Network Security Group
  • Microsoft Sentinel
  • Use the MITRE ATT&CK framework to map adversary tactics, techniques, and procedures
  • 2. Utilize data connectors to import data into Microsoft Sentinel for analysis.

    3. Configure Windows security policies and Windows Event Logs in the Security section.

    4. Query logs using Kusto Query Language.

    5. Develop custom analytic rules to detect Microsoft security events.

    6. Utilize the MITRE ATT&CK framework to align with adversary tactics, techniques, and procedures.

    MICROSOFT SENTINEL LAB NETWORK DESIGN & TOPOLOGY

    Arya_YARA_Rule_Results

    Part 1: Set up Azure Resources

    Step 1: Create a Resource Group

    This will be our container for all our resources.

    Arya_YARA_Rule_Results Arya_YARA_Rule_Results
    Step 2: Deploy a Virtual Machine

    Our VM will use Windows 11 as its operating system. We will go with the default settings for now and modify the network settings later.

    Create_VM_1 Create_VM_2 Create_VM_3 Create_VM_4 Create_VM_5

    Now that we have our VM set up, we have it's associated Virtual Network (VNet) which has an assigned IP address and network interface. We also have an Network Security Group (NSG) configured with our VNet with default settings. This will be used to filter network traffic to and from Azure resources. Similar to a firewall, filtering is based on rules that dictate source and destination ports and network protocols that are allowed or denied.

    If you look at the resource group created earlier, you'll see all this shown.

    VM_Resources_1

    If we select our NSG, we'll be able to see the default rules in place.

    VM_Resources_2

    If you look at the first rule, you will see that inbound RDP traffic is allowed from any source to any destination. RDP is necessary to access our Windows 11 VM. However, with this current setting, anyone who obtains our public IP (which can possibly be obtained via a network scan) can potentially connect to the VM as this is public facing. This presents a security risk as it makes the VM vulnerable to possibly a brute force or password spray attack.

    In order to reduce our attack surface, we need to enable a security feature called Just in Time (JIT) access. This will provide restricted access to our VM via time-based restrictions as well as implements the principle of least privilege by giving the option to restrict access to certain IP’s as well as RBAC roles.

    Anyone who wants access to the VM will need to request and based on their IP and assigned role they would be granted or denied access. By default, when creating your Azure Account, you are a Global Administrator so upon request you will be granted access to the VM.

    To set this up, we will be going into Microsoft Defender for Cloud.

    Security_Overview We'll be selecting our Azure Subscription here, but be mindful of which one you want to apply. Security_Overview_2

    By default, Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) are off but you will want to select "Enable all plans".

    Security_Overview_3

    After enabling the plan, navigate back to the homepage for Defender for Cloud and select Workload Protections on the left pane. From here, you'll want to enable JIT. I went ahead with the recommended configurations but use discretion in regards to your own configuration.

    Security_Overview_4 Security_Overview_5

    After you save these settings, anyone who is connecting via RDP or another management port will be constricted to a three hour time block upon approval which we will later grant.

    Go to your VM settings and click Connect on the left pane. Select the "Local machine IP" as your Source IP then select “Request access”.

    Security_Overview_6

    If we go to the networking tab for our VM, we can see our rules have been updated. Now RDP traffic is allowed for a certain amount of time only from the IP of your computer. Anyone else who attempts to establish a RDP connection will be blocked via our JIT access rules.

    Security_Overview_7
    Step 3: Create a Log Analytics Workspace and deploy Microsoft Sentinel

    When working with log data in Azure we need somewhere to store/operate that data. Log Analytics workspace is used to collect and store log data from Azure resources.

    Search “Log Analytics workspaces” in the search bar in Azure Portal. This will prompt you to create a Log Analytics workspace. Use the same resource group used for the VM you created in the previous step when filling out the necessary fields to create your Log Analytics workspace.

    Once you have those settings in place, Select "Review + Create" to launch that resource.

    Log_Analytics

    After that, search for "Microsoft Sentinel" and add that to your created workspace. Remember to select "Add"

    Log_Analytics_2

    Part 2: Getting Data into Microsoft Sentinel

    After the Microsoft Sentinel deployment, if we go into the incidents tab on the left we will see we don’t have any incidents currently as there is no data being fed into Microsoft Sentinel. We're going to utilize data connectors and create a data collection rule to bring in data from our VM.

    Microsoft_Sentinel_1

    Go to the "Data connectors" tab. This is where we can select the type of data that we want to bring into our SIEM. We'll want to install "Windows Security Events via AMA" so that we can collect data regarding Windows Security Events.

    Microsoft_Sentinel_2 Microsoft_Sentinel_3 Microsoft_Sentinel_4 Microsoft_Sentinel_5 Microsoft_Sentinel_6 Microsoft_Sentinel_7 Microsoft_Sentinel_8 Microsoft_Sentinel_9

    See how now the data connectors are green in those bars? That means they're connected and running.

    Part 3: Generating Security Events

    Now that our VM is connected to Microsoft Sentinel and our Log Analytics Workspace, we need to transport data from our logs. To do this, we'll need to perform some actions on Windows 11 events that will generate security alerts.

    Windows keeps a record of several types of security events. These events cover several potential scenarios such as privileged use, logon events, processes, policy changes, etc.

    We will now observe some Windows security events on our VM, so we'll ensure the VM is started and running. In the "Networking" section, you will find a public IP address. Use an RDP client, such as Remote Desktop Connection (RDC) to access your VM by entering in this public IP address.

    Note: You might need to refresh the page after starting the VM for the public IP address to appear.

    In the Connect area, you'll find a quick configuration setup to prepare your RDC connection, which we'll use.

    Microsoft_Sentinel_10

    Enter the IP address, Username and Password created when the VM was made.

    Microsoft_Sentinel_11

    Once we're in, we'll head over to the Event Viewer. We'll set our focus on the Security Windows Event Logs (WEL's), specifically Event ID's of 4624 since that contains events of successful account logon activity, an important security event to keep track of.

    Microsoft_Sentinel_12 Microsoft_Sentinel_13

    Part 4: Kusto Query Language (KQL)

    The purpose of a SIEM such as Microsoft Sentinel is to bring data like this into a centralized location. In an enterprise, we would want data coming from all our endpoints and VMs. In this example, we will pull this specific event log within Microsoft Sentinel.

    Microsoft_Sentinel_14

    By hitting that X button, you'll be brought to the KQL query custom writing area. We'll be writing with this logic here to pull those logs.

    Microsoft_Sentinel_15

    While I won't be reviewing all of KQL's syntax here, Microsoft does a pretty good job at reviewing over that with their documentation, which can find here.

    Put simply, this query will pull security events where the event ID is 4624 and only pull back the time the logon event occurred, what computer it came from and what account generated the event.

    Now, since AccountName isn't generating data, that column is going to be blank. We need Microsoft Sentinel to put in that data for us. We'll address this later when we create our analytic rule.

    Part 5: Writing Analytic Rules and Generating Scheduled Tasks

    Before we create our analytic rule, we'll need to set up a scheduled task on our VM in order to populate some data.

    The Windows Security Event ID that corresponds to scheduled task creation is 4698. However, these events are not logged by default in the Windows event viewer. To enable logging for this event we need to make some changes to the Windows Security policy in our VM.

    We'll go into our Local Security Policy and expand out "Advanced Audit Policy Configuration" then drill down to "Object Access". You'll then want to select "Audit Other Object Access Events"

    Microsoft_Sentinel_20 Microsoft_Sentinel_21

    Logging will now be enabled for the scheduled task event. Now we'll go ahead and make the scheduled task itself.

    Open Task Scheduler and navigate to “Create Task”, Add a name and change the “Configure For” OS to Windows 10 (There is no Windows 11 option as of May 2024 but if this changes in the future, use that option instead).

    Microsoft_Sentinel_22

    You'll then want to implement your trigger. Select “new” and schedule the task for a time close to your current time. Then select “OK”.

    Microsoft_Sentinel_23

    Lastly, we'll need to set up an action. Navigate to the action section, select "new," then select "Start a program". We'll configure the action of opening up Internet Explorer everytime this task runs.

    Microsoft_Sentinel_24

    Once that all is done, select "OK" and now that your scheduled task is made, you can go into event viewer and search for that Event ID 4698 in the security logs. You'll see our created scheduled task event there.

    Microsoft_Sentinel_25

    Now that we have our scheduled task set up, We'll create a custom analytic rule that will check our VM for the activity that matches the rule logic and generates an alert anytime that activity is observed. These details in such an alert can help start an investigation into determining whether the alert event is a false positive or not.

    Microsoft_Sentinel_16

    These are a list of alerts that we can enable our SIEM to monitor that come out of the box. If you wish, you can expand some and see what they are comprised of by right-clicking them and selecting "Create". These rules will only fire if the logic is met by a security event on your VM.

    For our example, we will be creating an analytic rule that will alert us whenever a scheduled task is created on a host. You'll want to consider the MITRE ATT&CK framework and the tactics, techniques, and procedures (TTP's) when writing out these rules. In this case, Persistence is the technique we'll be tracking here. We'll want to create a scheduled query rule for this.

    Microsoft_Sentinel_17 Microsoft_Sentinel_18

    Next we will set up the rule logic that will cause our alert to fire.

    Microsoft_Sentinel_19

    Now before we go any further, let's check out the results of our query first by selecting "View query results".

    Microsoft_Sentinel_26

    We can see now that scheduled task we made. If we expand that out, we'll see all of that Security Event data. We want to focus on the EventData category for

    Microsoft_Sentinel_27

    The data we pull from this area includes stuff such as the "TaskName", the "ClientProcessID", and the "SubjectUserName", which is username of the account that created the scheduled task.

    Now if we go back to writing our KQL query, We'll go ahead and put in the Project and Parse logic. The former will display our data fields as columns and the latter will extract data from the Event Data Field.

    Microsoft_Sentinel_28

    See how much cleaner that looks? Now let's go back to editing our analytic rule with this new KQL query. You'll notice the "Alert enhancement" area which allows us to add context to the alert to make it easier to read.

    As opposed to having to query this data as we did in the analytic rule, this will allow us to put the necessary data into the alert details as "Entities" so we can investigate specific components. We'll use the data we pulled in our KQL query for the Entity mapping.

    Microsoft_Sentinel_29

    The only other setting that we'll change is how often the query is run and when to look up the data. Change the defaults to the following:

    Microsoft_Sentinel_30

    We're going to ignore the Incident Settings and Automated Response sections and just review and create the analytic rule. Now if we create another scheduled task in our VM, it'll trigger that rule in Microsoft Sentinel.

    Note: that since we made the query run every five minutes, it'll take the rule to trigger.

    Microsoft_Sentinel_31

    On the right pane you'll see all the necessary information needed to begin investigating the alert such as the host machine, user account, process ID of the task, and the name of the scheduled task.

    In this case, the scheduled task is non-malicious. in the event it was however, you'd want to investigate the entities such as the user account, the scheduled task, host, etc. This begins the lead up to EDR solutions and other security tools to decide if this is a false positive or true positive.

    Part 6: MITRE ATT&CK Framework Composition

    Now that we have detected attacker presistence successfully in Azure, let's go ahead and map out what occured in the MITRE ATT&CK framework and how we can properly mitigate this attack. This is also useful to do if follow up reporting is required.

    The observed MITRE ATT&CK tactic used was TA0003 Persistence which essentially allows a malicious threat actor to maintain a foothold in an environment.

    Microsoft_Sentinel_32

    If we scroll down, we'll see the technique used (T1053, Scheduled Task/Job).

    Microsoft_Sentinel_33 Microsoft_Sentinel_34

    We'll then see all the sub-techniques, with ours being T1053.005 along with multiple procedure examples of ATPs, mitigation and detection tactics.

    Microsoft_Sentinel_35 Microsoft_Sentinel_36

    If you under the detection section, you'll see where we found our detection ID, Data Source and Data Component (DS0003, Scheduled Job, Scheduled Job Creation) that we used within Microsoft Sentinel, that being Event ID 4698 on Windows 10, Server 2016 - Scheduled task created.

    Microsoft_Sentinel_37

    If you got to the end of this in one piece, congratulations! You should now know how to work with Microsoft Sentinel and some aspects of Windows and Azure.