Cortex-Analyzers icon indicating copy to clipboard operation
Cortex-Analyzers copied to clipboard

Published 20 hours ago verified publisher icon TheHive-Project

MSDefenderEndpoints is not working

Open fidelislabs opened this issue 2 years ago • 5 comments

Hello,

Plugin /opt/Cortex-Analyzers/responders/MSDefenderEndpoints/MSDefenderEndpoints.py is not working.

I used one Windows 10 Enterprise E5 for tests, set all API permissions: API Permissions > Add permission > APIs my organization uses > type WindowsDefenderATP and click on WindowsDefenderATP Choose Application permissions, select Alert.Read.All AND TI.ReadWrite.All AND Machine.ReadAll AND Machine.Isolate AND Machine.Scan > Click on Add permissions.

When I m trying to use MSDefender-FullVirusscan_1_0 I recive the following errors:

A. In /opt/cortex/logs/application.log or /var/log/cortex/application.log:

2023-02-05 01:38:06,244 [INFO] from org.thp.cortex.services.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.0.0.5 POST /api/responder/c3bd92ef1f22df7e261ea0b032d7e2c6/run took 739ms and returned 200 2642 bytes 2023-02-05 01:38:06,992 [INFO] from org.thp.cortex.services.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 127.0.0.1 GET /api/alert took 8ms and returned 200 2 bytes 2023-02-05 01:38:07,256 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-9 - Job Wgk5H4YB5zoyAmziKrZL has be updated (JsDefined("InProgress")) 2023-02-05 01:38:07,257 [WARN] from org.thp.cortex.services.JobRunnerSrv in application-responder-29 - worker c3bd92ef1f22df7e261ea0b032d7e2c6 can't be run with docker (doesn't have image) 2023-02-05 01:38:07,257 [INFO] from org.thp.cortex.services.ProcessJobRunnerSrv in application-responder-29 - Execute /opt/Cortex-Analyzers/responders/MSDefenderEndpoints/MSDefenderEndpoints.py in /opt/Cortex-Analyzers/responders, timeout is 30 minutes 2023-02-05 01:38:08,268 [INFO] from org.thp.cortex.services.AuditActor in application-akka.actor.default-dispatcher-6 - Job Wgk5H4YB5zoyAmziKrZL has be updated (JsDefined("Failure")) 2023-02-05 01:38:08,268 [INFO] from org.thp.cortex.services.JobSrv in application-akka.actor.default-dispatcher-9 - Job Wgk5H4YB5zoyAmziKrZL has finished with status Failure 2023-02-05 01:38:11,854 [INFO] from org.thp.cortex.services.AccessLogFilter in application-akka.actor.default-dispatcher-12 - 10.0.0.5 GET /api/job/Wgk5H4YB5zoyAmziKrZL/waitreport?atMost=1%20second took 7ms and returned 200 7640 bytes

And the error from the Cortex:

[thehive:case_artifact] [filename] something.exe

{ "errorMessage": "", "input": "{"data":{"_id":"~90112","id":"~90112","createdBy":"[email protected]","updatedBy":"[email protected]","createdAt":1675078141604,"updatedAt":1675428834792,"_type":"case_artifact","dataType":"filename","data":"winpeasx64.exe","startDate":1675078141604,"tlp":2,"tags":[],"ioc":true,"sighted":false,"reports":{},"stats":{},"case":{"_id":"~86240","id":"~86240","createdBy":"[email protected]","updatedBy":"[email protected]","createdAt":1675078141599,"updatedAt":1675252008636,"_type":"case","caseId":4,"title":"Antimalware Action Taken","description":"Microsoft Antimalware has taken an action to protect this machine from malware or other potentially unwanted software.\n\r\n\rLink: https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/REDACTED/resourceGroups/SREDACTED/providers/Microsoft.OperationalInsights/workspaces/REDACTED/providers/Microsoft.SecurityInsights/Incidents/REDACTED\n\rAlertLink: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=VirTool:MSIL/Cajan.A!MTB","severity":1,"startDate":1675078141598,"endDate":null,"impactStatus":null,"resolutionStatus":null,"tags":["mail:[email protected]","mail sent","mail:[email protected]","[email protected]","abc@com"],"flag":false,"tlp":2,"pap":2,"status":"Open","summary":null,"owner":"[email protected]","customFields":{"sentinelIncidentNumber":{"integer":null,"order":0},"alertIds":{"string":"REDACTED","order":1},"incidentURL":{"string":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.OperationalInsights/workspaces/REDACTEDL/providers/Microsoft.SecurityInsights/Incidents/redacted","order":2}},"stats":{},"permissions":[]}},"dataType":"thehive:case_artifact","tlp":2,"pap":2,"message":"","parameters":{"organisation":"xyz","user":"abc@com"},"config":{"resourceAppIdUri":"https://api.securitycenter.windows.com","proxy_https":null,"cacerts":null,"oAuthUri":"https://login.windows.net/","check_tlp":true,"max_tlp":2,"check_pap":true,"max_pap":2,"jobTimeout":30,"service":"runFullVirusScan","proxy_http":null,"appId":"83041dec-e870-4de9-aa61-416aa751faf7","tenantId":"TENANT-ID-REDACTED","appSecret":"REMOVED"}}", "success": false }

I didn't achieve anything by modifying the script, I ran it locally, without success. I am indebted if you help me. Thank you

image

image

fidelislabs avatar Feb 06 '23 11:02 fidelislabs

@lucian1337 I will check this after I get the the proper license for Defender / azure.

korteke avatar Feb 06 '23 12:02 korteke

Thank you @korteke . Just an idea: Azure and Defender trial :)

I think this plugin is one of the most interesting one and should be marked as very important. I tried to fixed it but as you know, the most difficult part is to fix stuff because of .... 😞

Regards,

Lucian

fidelislabs avatar Feb 06 '23 12:02 fidelislabs

Question Answer
OS version (server) Ubuntu 20.04
OS version (client) Windows 10 Cloud
Cortex Analyzer Name MSDefender-FullVirusscan_1_0
Cortex Analyzer Version 1.0
Cortex Version 3.1.7-1
TheHive Version 4.1.24-1

Other details...

fidelislabs avatar Feb 06 '23 12:02 fidelislabs

Hello,

@korteke

Do you have any news?

Regards,

Lucian

fidelislabs avatar Feb 21 '23 11:02 fidelislabs

Hi @lucian1337 In your example, you are submitting a file as an argumenrt for the virus scan. This won't work because this action expects a machine ID

def runFullVirusScan(machineId):
            '''
            example
            POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan
            '''
            url = 'https://api.securitycenter.windows.com/api/machines/{}/runAntiVirusScan'.format(machineId)

            body = {
                'Comment': 'Full scan to machine due to TheHive case {}'.format(self.caseId),
                'ScanType': 'Full'
                }
....

if you want to run an AV scan, you'll need the computerDNSname as an observable. For example : PC123.your-domain.com

This is handled by getMachineId

def getMachineId(id):
            time = datetime.datetime.now() - datetime.timedelta(minutes=60)
            time = time.strftime("%Y-%m-%dT%H:%M:%SZ")

            if self.observableType == "ip":
                url = "https://api.securitycenter.windows.com/api/machines/findbyip(ip='{}',timestamp={})".format(id,time)
            else:
                url = "https://api.securitycenter.windows.com/api/machines?$filter=computerDnsName+eq+'{}'".format(id)

louismaxx avatar May 12 '23 09:05 louismaxx