User Guide
Synapse-Microsoft-Defender User Guide
Synapse-Microsoft-Defender adds new Storm commands to allow you to query the Microsoft Defender APIs using an existing API client.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API client configuration.
Microsoft Defender for Endpoint Examples
Setting your personal API client
To set-up a personal use API client:
> microsoft.defender.endpoint.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender for Endpoint API client configuration for the current user.
Ingest Alerts
Ingest alerts with microsoft.defender.endpoint.alerts and yield the results:
> microsoft.defender.endpoint.alerts --status InProgress --created (2023-11-05, 2023-11-07) --yield
risk:alert=b4ee5d222ae4e39dc582f316712461f5
.created = 2024/05/17 16:41:01.388
:benign = false
:desc = A known tool or technique was used to gather information on this device. Attackers might be trying to gather information about the target device or network for later attacks.
:detected = 2023/11/06 18:30:14.424
:ext:id = da119bb773-4f15-4264-b679-ae9e2ad31aaf_1
:name = Suspicious Process Discovery
:severity = low
:type = microsoft.defender.discovery
:verdict = microsoft.defender.malware
Pivot to referenced nodes:
> risk:alert:ext:id=da119bb773-4f15-4264-b679-ae9e2ad31aaf_1 -(refs)> *
it:exec:proc=068da84a25b5bbda679649f1888b3284
.created = 2024/05/17 16:41:02.660
:account = c4bfa402f336ea5710c5cb735f77d96a
:cmd = "taskkill.exe" /t /f /im python*
:exe = sha256:a78771ba588bc29d1dd246ac72ca858dc10f044f9d29d30b1ed6efb3e492a707
:path = c:/windows/syswow64/taskkill.exe
:path:base = taskkill.exe
:pid = 8864
:time = 2023/11/06 18:33:19.562
it:exec:proc=46f09de280b34b0f8ac619eee1afdad6
.created = 2024/05/17 16:41:02.241
:account = c4bfa402f336ea5710c5cb735f77d96a
:cmd = svchost.exe -k netsvcs -p -s Winmgmt
:exe = sha256:0ad27dc6b692903c4e129b1ad75ee8188da4b9ce34c309fed34a25fe86fb176d
:path = c:/windows/system32/svchost.exe
:path:base = svchost.exe
:pid = 3368
:time = 2023/11/06 18:16:07.334
it:exec:proc=ac7cb05e3e259d40fe5b934437bff2bc
.created = 2024/05/17 16:41:02.450
:account = c4bfa402f336ea5710c5cb735f77d96a
:cmd = -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\TEMP\pss15FA.ps1"
:exe = sha256:c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
:path = c:/windows/system32/windowspowershell/v1.0/powershell.exe
:path:base = powershell.exe
:pid = 9188
:time = 2023/11/06 18:25:50.564
it:exec:proc=73018edd49b4a0cfcc65ad5d4fcc5c10
.created = 2024/05/17 16:41:02.030
:account = c4bfa402f336ea5710c5cb735f77d96a
:cmd = "taskkill.exe" /f /im ai_exec_server*
:exe = sha256:a78771ba588bc29d1dd246ac72ca858dc10f044f9d29d30b1ed6efb3e492a707
:path = c:/windows/syswow64/taskkill.exe
:path:base = taskkill.exe
:pid = 10064
:time = 2023/11/06 18:33:18.897
it:mitre:attack:technique=T1057
.created = 2024/05/17 16:41:01.434
it:mitre:attack:technique=T1047
.created = 2024/05/17 16:41:01.417
Microsoft Defender 365 Examples
To set-up a personal use API client:
> microsoft.defender.365.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender 365 API client configuration for the current user.
Ingest Incidents
Ingest incidents as risk:attack nodes, with their related alerts, and yield the results:
> microsoft.defender.365.incidents --created (2023-12-05, 2023-12-12) --yield
risk:attack=93b253e242514d2462a9bc6e02fa8801
.created = 2024/05/17 16:41:03.154
:desc = Multi-stage incident on one endpoint
:detected = 2023/12/08 18:10:01.240
:ext:id = 2
:reporter:name = microsoft
:severity = medium
:type = microsoft.defender.securitytesting
:url = https://security.microsoft.com/incidents/2?tid=36f1173a-a5b7-4c65-a65b-1bdf319cd660
Pivot to the related alerts:
> risk:attack:ext:id=2 -> risk:alert
risk:alert=b4ee5d222ae4e39dc582f316712461f5
.created = 2024/05/17 16:41:01.388
:attack = 93b253e242514d2462a9bc6e02fa8801
:benign = false
:desc = A known tool or technique was used to gather information on this device. Attackers might be trying to gather information about the target device or network for later attacks.
:detected = 2023/11/06 18:30:14.424
:ext:id = da119bb773-4f15-4264-b679-ae9e2ad31aaf_1
:name = Suspicious Process Discovery
:severity = low
:type = microsoft.defender.discovery
:url = https://security.microsoft.com/alerts/da119bb773-4f15-4264-b679-ae9e2ad31aaf_1?tid=36f1173a-a5b7-4c65-a65b-1bdf319cd660
:verdict = microsoft.defender.malware
risk:alert=678b536473fe10fbcba2d53e6d29b32b
.created = 2024/05/17 16:41:04.935
:attack = 93b253e242514d2462a9bc6e02fa8801
:benign = false
:desc = This file exhibits behaviors or traits of malware. It might do one or more of the following:
1. Give a remote attacker access to your PC.
2. Download and install other malware.
3. Record your keystrokes and the sites you visit.
4. Send information about your PC, including user names, passwords and browsing history, to a remote malicious hacker.
5. Use your computer for click-fraud, bitcoin mining, DDoS attacks and spamming.
:detected = 2023/11/06 18:30:07.936
:ext:id = da99b8b9bd-5f60-4499-b3ea-b605d7d423f8_1
:name = A suspicious file was observed
:severity = medium
:type = microsoft.defender.malware
:url = https://security.microsoft.com/alerts/da99b8b9bd-5f60-4499-b3ea-b605d7d423f8_1?tid=36f1173a-a5b7-4c65-a65b-1bdf319cd660
:verdict = microsoft.defender.multistagedattack
Microsoft Defender TI Examples
To set-up a personal use API client:
> microsoft.defender.ti.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender TI API client configuration for the current user.
Ingest Articles by a Search Term
> microsoft.defender.ti.articles --query metastealer --yield
media:news=4b7108f015ca53d3cb987ba48aca994d
.created = 2024/05/17 16:41:07.422
:ext:id = 1e4f407d
:published = 2023/12/22 21:21:54.063
:publisher:name = microsoft
:summary = A new malvertising campaign has been observed distributing the MetaStealer malware.
:title = new metastealer malvertising campaigns
:updated = 2023/12/22 21:21:54.063
:url = https://ti.defender.microsoft.com/articles/1e4f407d
:url:fqdn = ti.defender.microsoft.com
#rep.microsoft.malvertising
#rep.microsoft.metastealer
#rep.microsoft.osint
#rep.microsoft.t1003_os_credential_dumping
#rep.microsoft.t1005_data_from_local_systems
#rep.microsoft.t1047_windows_management_instrumentation
#rep.microsoft.t1053_scheduled_task_job
#rep.microsoft.t1056_input_capture
#rep.microsoft.t1064_scripting
#rep.microsoft.t1091_replication_through_removable_media
#rep.microsoft.t1129_shared_modules
#rep.microsoft.t1574_002_hijack_execution_flow_dll_side_loading
#rep.microsoft.t1574_010_services_file_permissions_weakness
media:news=13f9a28f1d937ea9827cf45cc9ffea19
.created = 2024/05/17 16:41:08.725
:ext:id = fe10be68
:published = 2022/05/23 11:32:28.000
:publisher:name = microsoft
:summary = MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Israeli intelligence firm, Kela, first identified its emergence on underground marketplaces. Significant findings include:
- Heavy reliance on open-source libraries
- Microsoft Defender Bypass
- Scheduled Task Persistence
- Password Stealer
- Keylogger
- Hidden VNC server
Currently seen distributed via phishing as Excel attachments.
Early on in execution, a PowerShell command adds an exclusion rule to Microsoft Defender, effectively turning off scanning of files with ‘.exe’ extension. This decreases the chances of the main payload being detected as well as any subsequent payloads that may be delivered to the target host post infection. To maintain persistence, a scheduled task is created to trigger at user login, ensuring the malware remains across reboots.
:title = metastealer new information stealer variant
:updated = 2022/05/23 11:32:28.093
:url = https://ti.defender.microsoft.com/articles/fe10be68
:url:fqdn = ti.defender.microsoft.com
#rep.microsoft.excel
#rep.microsoft.keylogger
#rep.microsoft.macros
#rep.microsoft.malware
#rep.microsoft.metastealer
#rep.microsoft.passwordstealer
#rep.microsoft.phishing
#rep.microsoft.powershell
Pivot to select indicators referenced by the article:
> media:news:ext:id=fe10be68 -(refs)> (inet:email, inet:ipv4)
inet:[email protected]
.created = 2024/05/17 16:41:08.856
:fqdn = wolsleyindustrialgroup.com
:user = m.jones
inet:[email protected]
.created = 2024/05/17 16:41:09.350
:fqdn = kanzas.msk.ru
:user = info
inet:[email protected]
.created = 2024/05/17 16:41:08.965
:fqdn = southerncompanygas.co
:user = andresbolivar
inet:[email protected]
.created = 2024/05/17 16:41:08.928
:fqdn = wolsleyindustrialgroup.co
:user = mjones
inet:ipv4=193.106.191.162
.created = 2024/05/17 16:41:09.405
:type = unicast
inet:[email protected]
.created = 2024/05/17 16:41:08.892
:fqdn = wolsleyindustrialgroup.com
:user = jhurris
Use of meta:source nodes
Synapse-Microsoft-Defender uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the Microsoft-Defender API.
> meta:source=fa17230ff7baf510432808e0e3acdc09
meta:source=fa17230ff7baf510432808e0e3acdc09
.created = 2024/05/17 16:41:01.295
:name = microsoft defender for endpoint api
:type = synapse.microsoft.defender
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Microsoft-Defender. The following example shows how to filter the results of a query to include only results observed by Synapse-Microsoft-Defender:
> it:mitre:attack:technique +{ <(seen)- meta:source=fa17230ff7baf510432808e0e3acdc09 }
it:mitre:attack:technique=T1047
.created = 2024/05/17 16:41:01.417
it:mitre:attack:technique=T1057
.created = 2024/05/17 16:41:01.434