User Guide

Synapse-Microsoft-Defender User Guide

Synapse-Microsoft-Defender adds new Storm commands to allow you to query the Microsoft Defender APIs using an existing API client.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API client configuration.

Microsoft Defender for Endpoint Examples

Setting your personal API client

To set-up a personal use API client:

> microsoft.defender.endpoint.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender for Endpoint API client configuration for the current user.

Ingest Alerts

Ingest alerts with microsoft.defender.endpoint.alerts and yield the results:

> microsoft.defender.endpoint.alerts --status InProgress --created (2023-11-05, 2023-11-07) --yield
risk:alert=b4ee5d222ae4e39dc582f316712461f5
        .created = 2024/12/20 18:09:01.425
        :benign = false
        :desc = A known tool or technique was used to gather information on this device. Attackers might be trying to gather information about the target device or network for later attacks.
        :detected = 2023/11/06 18:30:14.424
        :ext:id = da119bb773-4f15-4264-b679-ae9e2ad31aaf_1
        :name = Suspicious Process Discovery
        :severity = low
        :type = microsoft.defender.discovery
        :verdict = microsoft.defender.malware

Pivot to referenced nodes:

> risk:alert:ext:id=da119bb773-4f15-4264-b679-ae9e2ad31aaf_1 -(refs)> *
it:exec:proc=068da84a25b5bbda679649f1888b3284
        .created = 2024/12/20 18:09:02.826
        :account = c4bfa402f336ea5710c5cb735f77d96a
        :cmd = "taskkill.exe" /t /f /im python*
        :exe = sha256:a78771ba588bc29d1dd246ac72ca858dc10f044f9d29d30b1ed6efb3e492a707
        :path = c:/windows/syswow64/taskkill.exe
        :path:base = taskkill.exe
        :pid = 8864
        :time = 2023/11/06 18:33:19.562
it:exec:proc=46f09de280b34b0f8ac619eee1afdad6
        .created = 2024/12/20 18:09:02.365
        :account = c4bfa402f336ea5710c5cb735f77d96a
        :cmd = svchost.exe -k netsvcs -p -s Winmgmt
        :exe = sha256:0ad27dc6b692903c4e129b1ad75ee8188da4b9ce34c309fed34a25fe86fb176d
        :path = c:/windows/system32/svchost.exe
        :path:base = svchost.exe
        :pid = 3368
        :time = 2023/11/06 18:16:07.334
it:exec:proc=ac7cb05e3e259d40fe5b934437bff2bc
        .created = 2024/12/20 18:09:02.593
        :account = c4bfa402f336ea5710c5cb735f77d96a
        :cmd = -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\TEMP\pss15FA.ps1"
        :exe = sha256:c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
        :path = c:/windows/system32/windowspowershell/v1.0/powershell.exe
        :path:base = powershell.exe
        :pid = 9188
        :time = 2023/11/06 18:25:50.564
it:exec:proc=73018edd49b4a0cfcc65ad5d4fcc5c10
        .created = 2024/12/20 18:09:02.135
        :account = c4bfa402f336ea5710c5cb735f77d96a
        :cmd = "taskkill.exe" /f /im ai_exec_server*
        :exe = sha256:a78771ba588bc29d1dd246ac72ca858dc10f044f9d29d30b1ed6efb3e492a707
        :path = c:/windows/syswow64/taskkill.exe
        :path:base = taskkill.exe
        :pid = 10064
        :time = 2023/11/06 18:33:18.897
it:mitre:attack:technique=T1057
        .created = 2024/12/20 18:09:01.473
it:mitre:attack:technique=T1047
        .created = 2024/12/20 18:09:01.455

Microsoft Defender 365 Examples

To set-up a personal use API client:

> microsoft.defender.365.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender 365 API client configuration for the current user.

Ingest Incidents

Ingest incidents as risk:attack nodes, with their related alerts, and yield the results:

> microsoft.defender.365.incidents --created (2023-12-05, 2023-12-12) --yield
risk:attack=93b253e242514d2462a9bc6e02fa8801
        .created = 2024/12/20 18:09:03.363
        :desc = Multi-stage incident on one endpoint
        :detected = 2023/12/08 18:10:01.240
        :ext:id = 2
        :reporter:name = microsoft
        :severity = medium
        :type = microsoft.defender.securitytesting
        :url = https://security.microsoft.com/incidents/2?tid=36f1173a-a5b7-4c65-a65b-1bdf319cd660

Pivot to the related alerts:

> risk:attack:ext:id=2 -> risk:alert
risk:alert=b4ee5d222ae4e39dc582f316712461f5
        .created = 2024/12/20 18:09:01.425
        :attack = 93b253e242514d2462a9bc6e02fa8801
        :benign = false
        :desc = A known tool or technique was used to gather information on this device. Attackers might be trying to gather information about the target device or network for later attacks.
        :detected = 2023/11/06 18:30:14.424
        :ext:id = da119bb773-4f15-4264-b679-ae9e2ad31aaf_1
        :name = Suspicious Process Discovery
        :severity = low
        :type = microsoft.defender.discovery
        :url = https://security.microsoft.com/alerts/da119bb773-4f15-4264-b679-ae9e2ad31aaf_1?tid=36f1173a-a5b7-4c65-a65b-1bdf319cd660
        :verdict = microsoft.defender.malware
risk:alert=678b536473fe10fbcba2d53e6d29b32b
        .created = 2024/12/20 18:09:05.286
        :attack = 93b253e242514d2462a9bc6e02fa8801
        :benign = false
        :desc = This file exhibits behaviors or traits of malware. It might do one or more of the following:
                1. Give a remote attacker access to your PC.
                2. Download and install other malware.
                3. Record your keystrokes and the sites you visit.
                4. Send information about your PC, including user names, passwords and browsing history, to a remote malicious hacker.
                5. Use your computer for click-fraud, bitcoin mining, DDoS attacks and spamming.
        :detected = 2023/11/06 18:30:07.936
        :ext:id = da99b8b9bd-5f60-4499-b3ea-b605d7d423f8_1
        :name = A suspicious file was observed
        :severity = medium
        :type = microsoft.defender.malware
        :url = https://security.microsoft.com/alerts/da99b8b9bd-5f60-4499-b3ea-b605d7d423f8_1?tid=36f1173a-a5b7-4c65-a65b-1bdf319cd660
        :verdict = microsoft.defender.multistagedattack

Microsoft Defender TI Examples

To set-up a personal use API client:

> microsoft.defender.ti.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender TI API client configuration for the current user.

Ingest Articles by a Search Term

> microsoft.defender.ti.articles --query metastealer --yield
media:news=4b7108f015ca53d3cb987ba48aca994d
        .created = 2024/12/20 18:09:07.961
        :ext:id = 1e4f407d
        :published = 2023/12/22 21:21:54.063
        :publisher:name = microsoft
        :summary = A new malvertising campaign has been observed distributing the MetaStealer malware.
        :title = new metastealer malvertising campaigns
        :updated = 2023/12/22 21:21:54.063
        :url = https://ti.defender.microsoft.com/articles/1e4f407d
        :url:fqdn = ti.defender.microsoft.com
        #rep.microsoft.malvertising
        #rep.microsoft.metastealer
        #rep.microsoft.osint
        #rep.microsoft.t1003_os_credential_dumping
        #rep.microsoft.t1005_data_from_local_systems
        #rep.microsoft.t1047_windows_management_instrumentation
        #rep.microsoft.t1053_scheduled_task_job
        #rep.microsoft.t1056_input_capture
        #rep.microsoft.t1064_scripting
        #rep.microsoft.t1091_replication_through_removable_media
        #rep.microsoft.t1129_shared_modules
        #rep.microsoft.t1574_002_hijack_execution_flow_dll_side_loading
        #rep.microsoft.t1574_010_services_file_permissions_weakness
media:news=13f9a28f1d937ea9827cf45cc9ffea19
        .created = 2024/12/20 18:09:09.359
        :ext:id = fe10be68
        :published = 2022/05/23 11:32:28.000
        :publisher:name = microsoft
        :summary = MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Israeli intelligence firm, Kela, first identified its emergence on underground marketplaces.  Significant findings include:
                   - Heavy reliance on open-source libraries
                   - Microsoft Defender Bypass
                   - Scheduled Task Persistence
                   - Password Stealer
                   - Keylogger
                   - Hidden VNC server

                   Currently seen distributed via phishing as Excel attachments.

                   Early on in execution, a PowerShell command adds an exclusion rule to Microsoft Defender, effectively turning off scanning of files with ‘.exe’ extension. This decreases the chances of the main payload being detected as well as any subsequent payloads that may be delivered to the target host post infection.  To maintain persistence, a scheduled task is created to trigger at user login, ensuring the malware remains across reboots.
        :title = metastealer new information stealer variant
        :updated = 2022/05/23 11:32:28.093
        :url = https://ti.defender.microsoft.com/articles/fe10be68
        :url:fqdn = ti.defender.microsoft.com
        #rep.microsoft.excel
        #rep.microsoft.keylogger
        #rep.microsoft.macros
        #rep.microsoft.malware
        #rep.microsoft.metastealer
        #rep.microsoft.passwordstealer
        #rep.microsoft.phishing
        #rep.microsoft.powershell

Pivot to select indicators referenced by the article:

> media:news:ext:id=fe10be68 -(refs)> (inet:email, inet:ipv4)
inet:[email protected]
        .created = 2024/12/20 18:09:09.499
        :fqdn = wolsleyindustrialgroup.com
        :user = m.jones
inet:[email protected]
        .created = 2024/12/20 18:09:10.030
        :fqdn = kanzas.msk.ru
        :user = info
inet:[email protected]
        .created = 2024/12/20 18:09:09.616
        :fqdn = southerncompanygas.co
        :user = andresbolivar
inet:[email protected]
        .created = 2024/12/20 18:09:09.576
        :fqdn = wolsleyindustrialgroup.co
        :user = mjones
inet:ipv4=193.106.191.162
        .created = 2024/12/20 18:09:10.088
        :type = unicast
inet:[email protected]
        .created = 2024/12/20 18:09:09.538
        :fqdn = wolsleyindustrialgroup.com
        :user = jhurris

Use of meta:source nodes

Synapse-Microsoft-Defender uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Microsoft-Defender API.

> meta:source=fa17230ff7baf510432808e0e3acdc09
meta:source=fa17230ff7baf510432808e0e3acdc09
        .created = 2024/12/20 18:09:01.322
        :name = microsoft defender for endpoint api
        :type = synapse.microsoft.defender

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Microsoft-Defender. The following example shows how to filter the results of a query to include only results observed by Synapse-Microsoft-Defender:

> it:mitre:attack:technique +{ <(seen)- meta:source=fa17230ff7baf510432808e0e3acdc09 }
it:mitre:attack:technique=T1047
        .created = 2024/12/20 18:09:01.455
it:mitre:attack:technique=T1057
        .created = 2024/12/20 18:09:01.473