ISC Stormcast For Wednesday, August 2nd, 2023 https://isc.sans.edu/podcastdetail/8598

Zeek and Defender Endpoint

Published: 2023-08-02. Last Updated: 2023-08-02 00:23:05 UTC
by Tom Webb (Version: 1)
0 comment(s)

 

Windows Defender has had Zeek built into it since October 2022, and it comes in handy with remote workforces when trying to do Incident response. Initially released, it only supported a few protocols, but now it supports 7. Please run the following query to get the latest list of what Zeek protocols it supports.

 

DeviceNetworkEvents

| where ActionType contains 'ConnectionInspected'

| distinct ActionType

 

DnsConnectionInspected

SslConnectionInspected

HttpConnectionInspected

IcmpConnectionInspected

SshConnectionInspected

SmtpConnectionInspected

FtpConnectionInspected

 

 

The bro data is in the "AdditionalFields" section for HTTP queries. Here is what is currently available to query.

 

direction

host

method

request_body_len

response_body_len

status_code

tags

trans_depth

uri

User_agent

version

 

 

A simple query to get just all POST methods and get a feel for how it works.

DeviceNetworkEvents

| where ActionType == 'HttpConnectionInspected' and AdditionalFields contains "POST"

 

 

Quick Scenario

A device named ClickHappy got a phishing email that went to IP 1.2.3.4, and the web form is an HTTP post. The user was off the corporate network then, so you do not have your typical network monitoring stack to rely on. You can query Defender if they sent a POST to the website.

 

DeviceNetworkEvents

| where ActionType == 'HttpConnectionInspected' and AdditionalFields contains "POST" and DeviceName contains "Clickhappy" and RemoteIP == "1.2.3.4"

 

If you got a result for the query, the user likely fell for the attack. 

 

The additional fields are in JSON; to search very specifically, use this format. In this case, Im looking for user agent "gSOAP/2.7".

 

DeviceNetworkEvents

| where Timestamp > ago(1h) and ActionType == "HttpConnectionInspected"

| extend json = todynamic(AdditionalFields)

| extend user_agent = tostring(json.user_agent)

| where user_agent == "gSOAP/2.7"

 

There are many great hunts people are already using for Zeek data with SecurityOnion, and all of these still apply to this data set too. You can also pull in external data and run queries against that data. In this case, we are grabbing a data feed with a list of malicious user agents and querying the last 5 days of data. 

 

let bad_useragent = (externaldata(useragent_list: string)

[@"https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list"]

with (format= "txt"))

| project useragent_list;

bad_useragent

| join (DeviceNetworkEvents

| where Timestamp > ago(5d) and ActionType == "HttpConnectionInspected"

| extend json = todynamic(AdditionalFields)

| extend user_agent = tostring(json.user_agent)

)on $left.useragent_list == $right.user_agent

 

For DNS queries here are the query options.

 

direction

trans_id

rtt

query

qclass

qclass_name

qtype

qtype_name

rcode

uid

rcode_name

AA

TC

RD

RA

answers

TTLs

rejected

ts

 

 

To query DNS names, use the below query. 

 

DeviceNetworkEvents

| where ActionType == 'DnsConnectionInspected'

| extend json = todynamic(AdditionalFields)

| extend query = tostring(json.query)

| where query == "download.windowsupdate.com"

 

 

MS has some great articles covering other queries and valuable things, so you should check them out below. 

 

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enrich-your-advanced-hunting-experience-using-network-layer/ba-p/3794693

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-network-signatures-in-microsoft-defender-for/ba-p/3429520

 

 

 

 

 

 

 

Keywords:
0 comment(s)

Comments


Diary Archives