Microsoft Defender ATP Indicators of Compromise IoC
Most organizations don’t realize they are under attack until its too late. In fact, a recent study revealed that it can take more than 200 days to discover that you are compromised. In this blog post, I am going to help you understand how Microsoft Defender ATP Indicators of compromise IoC helps you detecting these attacks. Also how you can add custom IoCs and apply them on your machines. By the end of this blog post, you can enable and configure the Defender IoCs and protect your company.
Introduction to Indicators of Compromise IoC
Indicators of compromise (IoC) as the name implies are all suspicious, unusual behaviour or abnormal traffic giving you indication that something wrong is running on your computer or network. This behavior can be an Indicator of compromise. Indicators are revealed during a deep forensics or malware analysis. They serve as an evidence or artifact that there is an attack and/or malicious activity.
These Indicators are normally inspected and analyzed during a typical incident response procedure. Mainly to a current incident or suspicious activity running on your system. One of the very common sources of investigation is a suspicious mail with an attachment. Analysis is performed on the email and the attachment to reveal what is hidden. This hidden data/information normally tricks a common user to click or view it which might result in a compromise.
Also another source of these indicators will be the system, network or software logs and events. Certainly investigating these events and logs is very beneficial to reveal such unusual patterns. Security Information and Events Management (SIEM) systems plays vital role in this case. These systems are needed to correlate and analyze different logs from all kind of information resources.
Indicators of compromise IoC are very helpful in stopping attacks and preventing future ones as well. Blocking these indicators can stop current compromise and block future attacks. These attacks or new variants might originate from same source.
The main kinds of Indicators of compromise (IoCs) are as follows:
- IP Addresses that are not part of the normal process of program. Rather they are pointing to remote different geographical servers. Consequently these servers can be Command and Control servers. For example you are connected to some European site and noticed traffic directed to Asian countries which are not part of this website.
- Domain names of Bot networks. These are regularly updated and published by several Threat Intelligence platforms.
- Virus Signatures.
- MD5 hash for a malicious document, email attachement or photo under investigation.
- URLs of command and control center or Bot networks
- Unusual usage of high privilege accounts. For example domain admin account accessing business shares at midnight. Definitely that looks suspicious.
- Unusual DNS requests.
How can we extract these Indicators IoCs?
So how can security professionals get these Indicators (IoCs) from a suspicious file or IP or domain….etc. Well this is actually done by Malware analysts. So normal process starts by loading this suspicious file in an isolated environment (sandbox). This is to avoid any production infection. Secondly Analysts start scanning it using some advanced malware detection tools. This is the fastest and easiest route to identify malware.
Moreover some other techniques as static analysis can be implemented to check this file without running or clicking it. This includes hashes, headers and other properties. Because this static analysis might not reveal a lot of information, analyst can start some interactive dynamic analysis. This means running the files in order to understand how it works. Finally reverse coding can be applied to understand the original logic and code of this suspicious file.
However this is not common or applicable for all organizations and Incident Reponses teams. Another common alternative which I use most of the time is submitting the suspicious file to analysis software. Normally I submit malicious files or fraudulent URL or IP address to malware analysis system. Two of the most commonly used and free online malware analysis systems are:
- Microsoft Security Intelligence Malware Analysis. This is open to anyone, even if you are not a Microsoft customer. Moreover you can submit as anonymous user. It can be mainly used to submit files and easily track the submission with notifications once done with results.
- Hybrid Analysis based on Crowdstrike Falcon Sandbox. Similarly you can submit files, also URLs and search for suspicious IP in the database as well.
As a result of this analysis, IoCs are identified. These can be MD5 hash, IPs or URLs. That is where Microsoft Defender ATP Indicators of compromise IoCs come in the play.
Submission of IoCs to Microsoft Defender ATP Indicators
Now that you have acquired your IoCs, which can be from your malware analysis tools or your security operations center or any public advisory on the internet. The next step is uploading them to your Microsoft Defender ATP Indicators. After loading them to the ATP Indicators you can create your own rules and actions whenever these IoCs are observed. Microsoft Defender ATP Indicators allows you to submit IoCs in three formats:
- File Hashes. This was the most common way to submit IoCs.
- IP addresses. Newly added feature to Microsoft Defender ATP Indicators based on several customer requests.
- URL/Domains. Again newly added feature.
How can I submit Indicators of Compromise IoCs?
So first after logging to your Windows Defender ATP console, you will need to create some Machine groups. This will become very handy when you add the Indicators of Compromise IoCs and apply actions on specific machines. Probably you need to create a machine group for all computers in your domain or for specific developemt/test computers and so on.
Windows Defender ATP configuration
First, navigate to Microsoft Defender ATP Settings – Machine groups
In this example I am creating a group for all machines in my domain. I am picking the Automation level as full. So Full means that any remediation action will be done automatically. Remediation action can be blocking a malicious file. I will have another separate post for automated investigations and remediation in Microsoft Defender ATP. The group can be either based on domain for all your computers (as shown below). Also it can be specific computers that starts with common naming convention or based on OS.
Next on list, you need to turn on the Allow or Block file feature from the Advanced features. Same applies for the custom indicators. These two features need to be enabled for Hash and IP/Domain IoC submission to work effectively. This is explained below in details.
Finally you can go to the Microsoft Defender ATP Indicators option and start adding the IoCs acquired earlier. Again this can be File hashes, IP addresses and URL/Domains
Indicators of compromise IoC Prerequisites
For File hashes submission, there are few pre-requisites:
- It works only on Windows 10 1703 or higher.
- Allow or Block feature need to be enabled.
- Windows defender Antivirus with cloud protection enabled and running on client machines.
For IP addresses and URL/Domains submission, the pre-requisites will differ a little bit (again these are newly released features)
- Windows 10 1709 or later.
- Windows Defender Network Protection running in block mode on all your machines.
- Custom Network Indicators feature is enabled.
For more information please check Microsoft Documentation on managing Indicators of compromise IoC.
In this example a generic IP address is added as Indicator of compromise IoC. This IP will get blocked if any user tried to access it.
Now you need to specify the actions in case any rule matched this IP Indicator of Compromise IoC or if any machine or user is going to this IP. This is your Indicator of Compromise IoC.
Three Action options are available:
- Allow this IP especially if this is just test IP address.
- Alert. This will be mainly used to further investigate and avoid blocking legitimate unknown IPs. Traffic is still allowed.
- Alert and Block. Alert is sent however block action is applied on this IoC traffic. This is why we enabled the Allow or Block feature earlier in the settings.
Finally you need to set the scope. Are you going to apply this on all machines or specific ones? This again comes back to the Machine groups that we have created earlier.
After specifying the scope, you can hit Next to check the summary and add this new Indicator of Compromise IoC. The Next time the user or machine will visit this IP address, it gets blocked as per this IoC.
In this post I tried to explain the idea and concept of Indicators of Compromise IoC. Furthermore Common types of IoCs and how you can extract and get them. Next was checking Microsoft defender ATP Indicators of compromise IoC and how its implemented in ATP tool. I have added manually a test IP IoC. However you can do this automatically by creating automated rules in ATP or importing IoCs in bulk. Also you can get them directly from another Threat Intelligence platform.
In the upcoming articles I will explain how to partner and connect Microsoft Defender ATP with other platforms. As well as open Threat Intelligent frameworks to feed the Microsoft Defender ATP (MDATP) with other IoCs coming from third parties. Finally the aim is sharing these IoCs between different threat intelligence platforms for one goal which is protecting your environment and blocking bad guys.