Skip to content

This site is automatic translation of http://www.marcelosincic.com.br, original in portuguese

MITRE – Comparison between EDRs

One of the most important items in recent years is the ability of traditional antivirus versus next generation antivirus (NGAV) in addition to tools with these capabilities such as ATA and ATP behavioral | Search Results | Marcelo Sincic [MVP] (wordpress.com)

With the evolution of these products, the term EDR became very common and new names such as XDR (Extended Detection and Response) to define these products that use artificial intelligence based on SaaS.

How to Evaluate an EDR?

This is the question that many now ask, before we used virus detection methods with a pendrive full of malware, but now with EDR and XDR these tests based on code signature (DAT) are not enough.

To assess capabilities, MITER, well known for the MITER ATT&CK® knowledge base, created a series of tests that security companies run and publish the results of their EDRs.

The greater the number of steps detected, the better the visibility of the attack that was launched.

How to Access and Read MITER ENGENUITY Ranking | ATT&CK Evaluations?

Access the ATT&CK® EVALUATIONS website (mitre-engenuity.org) and you can have an overview of the process, where you will see that there are already 3 different "rounds":

  • APT3 – Attacks that have been detected and attributed to the Chinese government, based on identity theft, sideways movement with scripts, rootkits and bootkits
  • APT29 – Attacks that have been detected since 2008 by the Russian government based on PowerShell and WMI
  • Carbanak+FIN7 – Today one of the most specialized, targeting financial institutions using the most diverse types of attacks with enough sophistication to pass through administrative tools of OSs and even POS

Once we understand the 3 different test sets, we generally evaluate Carbanak+FIN7 which is the most sophisticated and current.

Highlighting the comparison between the products, for example, if we use Microsoft x McAfee, it is possible to know the ways and techniques in which each of the NGAVs used to detect the attacks.

Comparative-1

In this comparison we can see the details of the type of attack and the level of log that the EDR will generate, clicking on the link [1] that the Microsoft NGAV created:

Comparative-1-Details

The details of each manufacturer indicate a summary of the efficiency in detecting the steps and generating the EDRs for each set of attacks submitted:

Detalhamento-1

The table above shows the minimum number of steps defined by the algorithms and how many actions Microsoft’s EDR was able to identify, which represent steps before and after the attack performed.

Below the summary table you can see the details of the attacks carried out based on the MITER matrix and see, by round, the tactics, technique, sub-technique and steps that EDR identified. By clicking on the techniques you can see the details of each item

Detalhamento-2

Another interesting data available is the test results, this one returns the generated EDR:

Tecnica aplicada

How to Reproduce the Same Validated Environment in Tests?

Maybe you already have one of the manufacturers that have been tested, but you’re not sure you have the right packages and settings.

After all, it’s important to remember that the above tests are conducted by the manufacturers and submitted for publication, so we know they used a well-constructed set of tools and configurations.

Because of this, manufacturers publish a report that is available on the same website, for example, in the case of Microsoft, we see the products and configurations used:

Vendor Configuration

Upload affected on Windows 10 Hyper-V

When enabling Hyper-V on Windows 10 you may have the problem of upload performance downloading radically, to the point of almost zero!

This problem happened to me on 3 different devices (Dell Latitute, Vostro and a T110), each with a different card. Importantly, the 3 are 5G wifi cards.

Solution, disable the Large Send Offload of the virtual card. The reason is that this feature does not exist on the network cards I used, so they generate the incompatibility.

Tela2

Tela3

Result, see below the performance before I enable Hyper-V and share the network card, after enabled and the latest with LSO disabled.

Tela1

Hands-On Linux Administration on Azure E-book

Available in the Azure library of free books, the quality of this book impressed me!

Avaliable since 2019, it was “announced” on LinkedIn again and I was curious to see it over the weekend.

The content starts with Azure basics and then moves on to the part we need most, if like me you are more familiar with Windows than Linux.

In the Linux chapters, you start by explaining the basics of the command line, Bash, variables, text and process manipulation, as well as conceptual DAC.

Then you can use the detailed tutorial on creating a VM in Azure with details on the difference in resources such as storage, network and security.

In the following topics he goes deeply into Linux administration like firewalld, systemd, DAC, MAC, RPM, YUM and several other uses for an advanced administrator with Vagrant and Packer.

But the last 2 chapter topics are where those of you who already know Linux will have a better experience, as it will cover how to use Terraform, Ansible and PowerShell DSC to create and administer VMS. Interesting that even shows their installation on their hosted Linux VMs.

And finally, the last topic on Linux containers closes with a flourish a book of 500 pages !!!

Even for those who already know Azure well, this book for bringing themes like Ansible, Terraform and containers (including AKS) will be a bedside guide  Winking smile

Linux on Azure E-book by Packt | Microsoft Azure

Imagem1

Azure ARC – Integration of Updates, Change Monitoring and Inventory

When using ARC as we have discussed before ( https://msincic.wordpress.com/2020/07/22/azure-arc-integrated-multi-cloud-management/ ), it is a common question I get from people in the community how to enable the functions of Insigths that appear on the ARC panel.

Creating or Enabling an existing Automation account

For this, the first step is to have an authorized account automation in a region that makes the pair with the region where the Log Analytics integrated with ARC .

To find out which regions were these pairs, use the link https://docs.microsoft.com/en-us/azure/automation/how-to/region-mappings as for example East US1 is paired with East US2 and vice- versa. In other words, Log Analytics needs to be in one of the regions and the automation account in the other.

1-Zonas_LI

When creating the automation account and Log Analytics, go to the automation account and configure the integration between them.

2-Captura de tela 2021-05-03 115936

In the automation account panel itself, it is already possible to configure the Update, Change Management and Inventories resources and then in the ARC panel they are displayed ready.

Enabling features

Each module can be integrated with a different Automation or Log Analytics, which is not my case.

2-Integrando

Once integrated in the automation account’s own panel, it is already possible to see the resources and enable the computers, see that those that have the ARC agent will already appear in the inventory.

3-Inventario

For Updates you will need to choose the ones you want to automate.

4-Updates

Remembering that once the Updates control is configured, it is necessary to create the scheduling rules for the installation of these updates.

5-ARC integrado

Finally, we enable the Change Management panel indicating the computers we want to collect.

6-Habilitando Alteracoes

In my opinion this is the best of resources, since in security and support knowing the changes made on each server is an essential item.

7-

New connector for Azure Consumption in Power BI

A very interesting tool to validate and verify costs in Azure is Azure’s own Cost Managment and integration with an App panel in Power BI.

However, with the deactivation of the Power BI App, many lost a tool where it was possible to manipulate the data and started importing into Excel / CSV to create their customized reports.

Connector for Azure Cost Management on Power BI Desktop

Well, Microsoft has released a connector on the Power BI desktop that will allow you to bring more detailed data than you can see in Cost Management.

This connector can be accessed using the connector which in Portuguese will have the name Azure Cost Management and will allow use for those who have an Enterprise Agreement or individual subscriptions.

Conexao-1

In the case of Enterprise Agreement, just enter the contract number and login on the following screen:

Conexão-2

Conexao-3

It is important to remember that if the contract is very large and you choose 12 months, it may happen that Power BI takes time to be able to access the data and there is a refresh timeout so we recommend that you create with shorter periods.

If you want to test with additional months or decrease the number of months, enter the Advanced Editor of the query and change the number of months as the example below, remembering that you will need to do this in each of the tables.

Editor de conexao

Working with cost tables

Once the connection is made it is possible to choose the tables that will work.

All tables are intuitive and detailed with the data you already have access to when exporting the CSV on the Azure portal, however it adds the data set for Reserved Instance and Budgets .

Tabelas

I particularly liked the option of the IR tables because it details the VMs and resources being charged and the original cost, allowing to show the savings generated in a much simpler way!

Dashboard reservas

The recommendations can also be seen in detail:

Recomendacoes

And finally, the use of reserves with the percentage of “quality” where you can have an idea if they are actually being used is one of the most important:

Uso

Recent trainings and ebooks

Below is a useful list of recent online training and documentation.

  • Windows Virtual Desktop Quickstart Guide
    With the adoption of the Home Office for employees, the VDI as a service (SaaS) solution has grown a lot
    This guide shows the concepts and requirements for a SaaS WVD architecture in Azure
    Windows Virtual Desktop E-book | Microsoft Azure
  • SQL Server on-premisse e Azure SQL Server Workshops
    O conteúdo dos workshops que a Microsoft entrega aberto para ser utilizado nas empresas ou individualmente
    É necessário um esforço de setup, mas o conteúdo é bem rico e valioso
    sqlworkshops | SQL Server Workshops (microsoft.github.io)

Monitoring Azure with System Center Operations Manager (SCOM)

Many companies use SCOM to monitor on-premise environments. Extending this monitoring to Azure features will help centralize alerts and dashboards as integrated cockpits.

To download the Management Pack use the link: https://www.microsoft.com/en-us/download/details.aspx?id=50013

Installing and configuring the MP

When executing the package you can find the 3 MP files that should be imported:

1-MP

Then open the console and import the 3 installed packages:

2-Matters

After importing the packages you can assign the subscriptions you want to monitor and this can be done by assigning the user at authentication or creating an SPN in Azure to serve as an application and assist in Azure if it is necessary to search the records or assign specific permissions.

This SPN creation process is automatic by simply informing the user and letting the Wizard do the work!

2-Importa

3a-SPN

3b-Assinaturas

Configuring what will be monitored

Find the MS Azure Monitoring Management Pack and choose which of the subscriptions you want to monitor. The recommendation is that you create a new Management Pack to host the resources that you will monitor and facilitate reconfiguration if necessary.

If there are multiple subscriptions, it will be necessary to reconfigure and follow the process to include in the same custom MP created for each of the subscriptions.

5-Novo monitor

6-subscricao

7-recursos

Finding the Resources

The Management Pack creates a new folder in Monitoring with the name Microsoft Azure with several items, where you can see the different types of dashboards and reports available.

In a few minutes, SCOM will collect the resources and immediately after returning the status of each one.

8a-Health vms

8-Health resources

As there are several features and reports, you can view performance, status data and define or change alerts according to common status rules.

Azure Arc – Integrated Multi-cloud management

Azure Arc is a preview product that has the function of standardizing and allowing the use of Azure resources for managing VMs and Kubernets Clusters hosted in on-premise environments or other integrated clouds.

https://azure.microsoft.com/en-us/services/azure-arc/

Computadores

Enabling the Service by Registering the Components

The first step is to access the subscriptions where you will host Arc services.

Once the subscription has been chosen, Hybrid resources must be registered as below.

In general the ADHybridHS feature will already be enabled and has to do specifically with AD synchronization, but the Compute, Data and Network features need to be enabled before adding features:

Registro Provedores

Registering Computers and Resources

When creating the Arc resource, choose a subscription and a Resource Group to serve as a base and that in the future after the Preview you will have the service charge (if any).

Right after enabling, click the Add button on the first print of this article and download the script to run on the servers. If you want to open the script it is very simple and basically downloads an msi and runs it with the subscription data.

Onboarding

The first execution of the script shows the obligation to activate the resources, which was the first topic of this article, and it will be a recurring error since when enabling Arc this process should be automatic.

Note that when executing the script it generates a code that must be confirmed on the indicated website https://microsoft.com/devicelogin

Registro Servidor

Using Policies and Initiatives

Once linked, the different Policies and initiatives that would serve to create alerts and define standardization of resources in what we generally call Compliance can already be created and enabled .

Politicas-1

By default, the above policies are configured, but it is possible to create new ones to generate compliance reports. To do this, use the pre-existing rules that will facilitate several different types of alerts such as backup, antivirus, ASR, etc.

Politicas-2

As for the Initiatives, we are not only checking, but implementing some types of standards such as the level of auditing or legal requirements / regulatory standards:

Iniciativas

Enabling Log Analytics

For the resources to work correctly, it is important to use Log Analytics that will capture the server data to generate alerts and relationship maps.

To do this, access the servers and click on the warning in the stripe that is displayed and with that you can enable the resources for each server or in Insights . An interesting feature is that each server can use different subscriptions or even different Log Analytics workspaces .

Habilitar Log Insigths

From the integration that will take 5 to 10 minutes, it is already possible to use the monitors, alerts and even the relationship map:

Alertas

Habilitar Log Insigths

Monitor-2

Mapa

CONCLUSION

In compositions with physical servers, virtual servers and cloused machines, having the ease of integrating Azure management functions will help a lot.

Much of the work is already possible in Log Analytics but in a passive way. With simple integration with policies, initiatives and interface the use of Azure Arc will be an excellent tool for IT professionals with multiple hosting environments.

Enabling remote work during the Corona Virus period

In this period when many employees are being moved to remote office, what solutions can be quickly adopted for this?

Scenario 1 – Use of VPN

The first solution is the use of VPNs, where the employee will access the company’s network environment via the internet from home.

What are the advantages?
This method is very interesting because it is fast to implement, usually in the firewall that the company already uses. The user will be able to access his e-mails, servers and applications as if he were physically inside the company, using his personal computer. As it uses an existing product in most environments, the cost is minimal to enable it on the firewall and many manufacturers just need to enable it.

What are the disadvantages?
The biggest risk in using VPNs is the lack of security arising from direct external connections, from unknown equipment. For example, imagine that the employee’s machine is the same as he downloads content from the internet, games and others. What guarantee do I have that a worm or virus will not come through this connection? None.

What solutions can I use to complement security?
NAC (Network Access Control) are protocols and protections installed on the firewall that when trying to connect a script is executed on the remote equipment to validate that it has valid anti-virus, operating system updates, etc. through an NPS (Network Policy) rule Service / Server) . However, NPSs are usually limited in what they can check and that is when we need to install an agent in advance and only validate when entering the network without validating settings that can be changed or allow the equipment to be unprotected.
The MDM solution in the Microsoft portfolio is Microsoft Intune, which is now called Microsoft Endpoint Management Service for joining SCCM (System Center Configuration Manager) .
Intune is a cloud solution with functions similar to SCCM, but with modules for devices such as phones and tablets. It allows the administrator to create validation rules to be applied to the user’s machine from the monitoring software and these rules may involve:

• Operating system updates
• Installing corporate applications automatically
• Compliance rules such as mandatory and password type, use of resources shared between different environments on mobile (KNOX and Apple Secure)

• Restriction on the exchange of information between applications classified as corporate (copy and paste)
• Several other rules that vary between Android, iOS, MAC and Windows
Integrate with various physical NAC models

Scenario 2 – Use of PaaS and SaaS for work applications

Well known as Modern Workplace, these solutions in the Microsoft portfolio are in Microsoft Office 365.
Sold in individual service packages, Business package (up to 300) and enterprise (Office 365 and Microsoft 365), it allows an employee to work remotely without any type of access to the internal network.

What are the advantages?
Because they have different models of contractual acquisition (CSP on demand, MPSA and EA with fixed prices) it is accessible to all customers.
Data security is greater because the user accesses files and email directly from Microsoft through the common internet and does not have access to the company’s internal servers. As a model of cloud services, it does not need facilities, servers and local infrastructure other than the TCO for maintaining and operating these services.
Well, we don’t need to say much because today the PasS and SaaS model with Exchange, Teams, SharePoint, OneDrive and other products in the suite is already consolidated.

What are the disadvantages?
There are few negative points, since here we are dealing with essential services (email, messaging, audio and video conference, exchange of files). But unrestricted access to data without the facility to create security rules that we have with ACL on a physical file server scares a lot of people … Since the files are in the cloud and accessible from anywhere and device how to prevent unauthorized access ?

What solutions protect my content?
This is where things get easier! In the Office 365 PaaS and SaaS model we have security packages available for any of the options, both contractual and package type:

• Encrypt, categorize and identify protected content we have AIP ( Azure Information Protection ) which is the old Windows RMS, now in the cloud, which can identify for example that a user is passing CPFs and Passports to other people inside or outside the company
• Detect suspicious activity we have ATP ( Azure Advanced Threat Protection ) that analyzes activity in the on-premises and cloud AD

• With CASB ( Cloud App Security ) Make advanced usage detections, integrating third-party applications and identifying possible violations and problems such as logins in different locations simultaneously or in impossible displacements (Chile and Australia in less than 2 hours for example)
Allow the creation of access and login rules (similar to NAC) with AD Premium, which also allows detailed activity reports

These features are those that would cover the security of access to company data on any device!

Scenario 3 – Virtual Desktop

A well-known solution, it can be implemented in a model of direct access to applications from servers (RDS) or independent virtual machines for users (VDI).

What are the advantages?
Nothing is outside the company, there is no data exchange via the internet.
In this model, the data is accessed from within the company, since the user will see the screen of the server or his personal VM that is in the infrastructure and network of the corporation.
So access to data is very controlled and 100% similar to what the employee would be seeing and doing while sitting at his office desk.

What are the disadvantages?
Cost, both of equipment and licensing.
To build a RDS (Remote Desktop Service) structure, it is possible to directly use Windows Server and have a much more attractive cost or solutions such as VMWare Horizon and Citrix.
As for the VDI (Virtual Desktop Infrastructure) solution, we have a high cost, since for each user logged in it is necessary to have a Windows 10 VM activated.
Therefore, if there are 200 remote users, it will be necessary to have 200 VMs active on physical servers, which after the outbreak would no longer be necessary.

What alternatives for the lack of Hardware in this moment of isolation?
Microsoft has a service called WVD ( Windows Virtual Desktop ) which is a hosted VDI, with the advantage of being scalable and can go from 1 to 25,000 VMs in minutes! This service is open to all customers through an Azure account and Windows Enterprise with SA or Windows E3 subscription.
Users who already have Microsoft 365 (except F1) are already enabled, since the M365 E3 and E5 include Windows Enterprise licensing.
And for those who don’t, you can subscribe to Windows E3 licenses in the monthly CSP model, where you will only pay for what you activate from WVDs.

Unidentified CPU usage in Task Manager

This tip is old, but important.

When using the Windows Task Manager, the System process gets stuck between 20-30% CPU usage.

The System process should never have constant use, it is triggered every time a Kernel task is executed and returns at rates between 0-1%.

Task Manager symptom

See that the process is high, despite having no reason since memory is less than 100Kb, no disk and network activity.

tela1

What normally causes this behavior?

If memory and disk were high it could be an update or process that crashed and the operating system is trying to recover, but it doesn’t match the above situation.

This indicates that the process is derived not from a program, but from a device that does not use system resources such as a video card, controller or other.

How to find the source of the problem?

Since Task Manager is a user tool, it omits important internal details. Therefore, download and use the Process Explorer tool from SysInternals (belongs to Microsoft) at https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

After opening PROCEXP you can see the same System process now in detail and see what it is running:

tela2

Right-click and see the details of the process where you can see in the Threads tab to see what the System process is controlling and the CPU usage to identify who is responsible for the high CPU usage:

tela3

By clicking on the “criminal” process, we see the details and understand what is causing the high CPU usage:

tela4

Now it would be enough to search the internet for what this process is and I would discover that it is very basic and it is the equipment’s energy management driver ( Power Interface).

So, I went to the manufacturer’s website and downloaded the updated drivers and the result after the boot is the System process in its proper place in the task list:

Telafinal

Conclusion

This process does not mean that the error is always the same, this is an example of how to find a process or program that crashes your machine.

Many users do not have much knowledge to solve themselves, but it is possible to find many references on the internet after identifying the process that causes the problem.

This tip applies mainly to processes with dependencies as is the case with the System that in the Task Manager are hidden.