Thursday, November 11, 2021

Microsoft Defender for Cloud - Use cases

The way we look at threats and the mechanisms we implement to protect, detect, and respond to them has changed drastically. It is no longer a cat and mouse game between us and the attackers. Technology advancements and sophistication have given threat actors a multitude multitude of options to combat the mindset and mechanisms we have been carrying over for years.


It’s time to understand how we can leverage modern technology to combat the attackers, but before we start thinking about the “How”, we need to be clear on “What".


Microsoft Defender for Cloud is a unified Infrastructure security management systems that strengthens the security posture of your cloud resources and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not.

Microsoft Defender for Cloud covers two broad aspects for securing your cloud resources.


Cloud Security Posture Management (CSPM) – Gives organizations visibility on their security posture via the secure score, detection of security misconfigurations, asset inventory and more.


Cloud Workload Protection Platform (CWPP) – Uses advanced AI and ML based intelligent protection and detection capabilities for your Azure and hybrid cloud workloads. It also helps you track your compliance with regulatory frameworks and compliance standards (like PCI-DSS, NIST, ISO 27001, etc.).


In this blog, I will discuss some real-world use cases for how Microsoft Defender for Cloud can be leveraged against these modern-day threats. This blog will discuss how the Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities can help address these complex use cases and give visibility on the security posture and threats across your hybrid and multiload environments.


Security and Compliance Use cases


Microsoft Defender for Cloud Capability




Assess and Visualize Security State of your rapidly changing resources on Azure, on-premises, and other clouds in near real time.

While we may have the best tools to secure our eco-system, there have been a lot of compromises that have happened due to lack of visibility of assets, vulnerabilities, misconfigurations, and compliance with industry best practices. For example: WannaCrypt would not have happened if the patch MS17-010 which was released 3 months before WannaCrypt created havoc was deployed on the systems.

Microsoft Defender for Cloud assesses the security state of all your cloud resources, including servers, storage, SQL, networks, applications, and workloads that are running in Azure, on-premises, and in other clouds. Visualize your security state and improve your security posture by using Azure Secure Score recommendations.




Simplify enterprise compliance and view your compliance against regulatory requirements

While we strive to keep our environment safe and secure against the modern-day threats, we need to know the best practices and follow best practices frameworks like ISO 27001, NIST, CSA, CIS etc. In addition compliance to applicable industry and federal regulations (PCI-DSS, HIPAA,etc) is of utmost importance. While organizations understand this, it’s important to have unified view of the various controls and resource compliance. There are many complex customizations that many organizations do today to get these reports which may not be accurate

Microsoft Defender for Cloud allow you to view your compliance against a wide variety of regulatory requirements or company security requirements by centrally managing security policies. Perform ongoing assessment and get rich, actionable insights and reports to simplify compliance.

Identification and analysis of vulnerabilities.

Identifying security weaknesses (more importantly those which can be exploited timely is important, specifically for rapidly changing and evolving workloads such as Virtual machines, SQL and AKS.

Vulnerability assessment is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities. Vulnerability assessment can be accessed and managed via the central Microsoft Defender for SQL portal.

 Virtual machines


The integrated vulnerability assessment solution supports both Azure virtual machines and hybrid machines.



When you push an image to Container Registry, Defender for Cloud  automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file.
When the scan completes (after about 10 minutes), Microsoft Defender for Cloud provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces.

Limit access to your Virtual machines only when required to reduce lateral movements or system compromise.

Attackers commonly target cloud environments with brute force or port scanning attacks, typically against management ports like RDP and SSH that are left open to enable administrator access. All your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.

As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.
Your legitimate users also use these ports, so it's not practical to keep them closed. To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Visibility or Oversight on Execution of untrusted or unsafe Applications on your virtual machines using machine learning techniques.

One of the key challenges for organizations is to restrict APT or zero-day payloads, adwares or unwanted applications, etc and a layered security on top of the EDR's and NGAV's already being used. By defining known safe applications and gaining timely oversight when an unknown application else is executed, the attack surface is substantially reduced and compliance goals can be met as well.

Adaptive Application Control in Microsoft Defender for Cloud allows you to:

Identify potential malware, even any that might be missed by antimalware solutions.
Improve compliance with local security policies that dictate the use of only licensed software.
Identify outdated or unsupported versions of applications.
Identify software that's banned by your organization but is nevertheless running on your machines
Increase oversight of apps that access sensitive data.

Track and provide data of activities on files that are being monitored, such as potential unauthorized changes.

While attackers are in a constant endeavor to succeed in executing ransomware, data exfiltration, supply chain attacks, using system or application files, it is important to monitor the integrity of such files to prevent an attack.

File integrity monitoring (FIM), also known as change monitoring, examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack.
Microsoft Defender for Cloud recommends entities to monitor with FIM, and you can also define your own FIM policies or entities to monitor. FIM informs you about suspicious activity such as:

File and registry key creation or removal.
File modifications (changes in file size, access control lists, and hash of the content).
Registry modifications (changes in size, access control lists, type, and the content).

Visibility into Azure Network Topology and recommendations

It’s important to understand how your resources in Azure connect with each other, what is the allowed traffic between them, etc. and getting insights and recommendations to improve your network security posture.

The interactive network map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources. Using the map you can see the network topology of your Azure workloads, connections between your virtual machines and subnets, and the capability to drill down from the map into specific resources and the recommendations for those resources.

Unified security solution for identifying IoT/OT devices, vulnerabilities, and threats.

Operational technology (OT) networks power many of the most critical aspects of our society. But many of these technologies were not designed with security in mind and can't be protected with traditional IT security controls. Meanwhile, the Internet of Things (IoT) is enabling a new wave of innovation with billions of connected devices, increasing the attack surface and risk.


Detecting Identity/Access based attacks on Virtual machines, Containers, Azure Storage, Key Vault, Resource Manager(Privilege Escalation, Credential Access, Initial Access)

Virtual Machines:ML/AI based detections on VM's like Logons from malicious IP addresses, account enumerations (local and domain), Credential dumping, brute force attack, Kerberos Golden Ticket Compromise, detection of credential, unusual config reset in your virtual machine, unusual user password reset in your virtual machine

Alerts are the notifications that Microsoft Defender for Cloud generates when it detects threats on your resources and prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. It also provides detailed steps to help you remediate attacks. Alerts data is retained for 90 days.





Containers: Container with a sensitive volume, exposed Kubernetes dashboard detected, exposed Kubernetes service, exposed Redis service in AKS, detection of privileged containers






Azure Storage/Key Vault/Resource Manager: Privileged custom role created for your subscription : Access from a suspicious IP address, Storage account with potentially sensitive data has been detected with a publicly exposed container, Access from a TOR exit node to a key vault, High volume of operations in a key vault, Suspicious policy change and secret query in a key vault ,Suspicious secret listing and query in a key vault, Unusual application accessed a key vault, Unusual operation pattern in a key vault, Unusual user accessed a key vault, Unusual user-application pair accessed a key vault, User accessed high volume of key vaults





Detecting Defense Evasion techniques on Virtual machines, Azure App Services, Containers and Azure Resource Manager

Virtual Machines: Antimalware disabled in your virtual machine, Antimalware file exclusion and code execution in your virtual machine, Antimalware real-time protection was disabled in your virtual machine, Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine, Fileless Attack Detection, Suspicious system process executed, Access of htaccess file detected, Attempt to stop apt-daily-upgrade.timer service detected, Manipulation of host firewall detected, Possible Log Tampering Activity Detected, Script extension mismatch detected






Azure App Service: encoded executable in command line data, Executable decoded using certutil, Fileless Attack Toolkit Detected, Possible Crypto coinminer download detected, Suspicious SVCHOST process executed,






Containers/Azure Resource Manager: Kubernetes events deleted, Docker build operation on Kubernetes node, Azure Resource Manager operation from suspicious proxy IP address, Permissions granted for an RBAC role in an unusual way for your Azure environment





Detection of Malicious Executions and Exploitation on Virtual machines, App Services, Containers, Databases, Azure Resource Manager and Azure Storage

Virtual machines: Custom script extension with suspicious command in your virtual machine, Custom script extension with suspicious entry-point in your virtual machine, Custom script extension with suspicious payload in your virtual machine, decoding of an executable using built-in certutil.exe tool, obfuscated command line, Petya ransomware indicators, possible execution of keygen executable/malware dropper, suspicious combination of HTA and PowerShell, Detected suspicious command line arguments, suspicious credentials in command line, suspicious execution of VBScript.Encode command,  suspicious execution via rundll32.exe, suspicious file cleanup commands, suspicious file creation, suspicious named pipe communications, Dynamic PS script construction, Executable found running from a suspicious location, Fileless attack technique, SuspiciousPsExec execution, Suspicious system process executed, Behavior similar to common Linux bots, Behavior similar to Fairware ransomware, Exposed Docker daemon on TCP socket, Possible exploitation of Hadoop Yarn, Possible exploitation of the mail server , SSH server is running inside a container, Suspicious PHP execution, Suspicious request to Kubernetes API








App Services: encoded executable in command line data, Digital currency mining related behavior, Executable decoded using certutil, Fileless Attack Technique, PHP file in upload folder, Possible Cryptocoinminer download, Potential reverse shell, Raw data download, Suspicious PowerShell cmdlets/PHP Executions/SVC Host executions, Suspicious WordPress theme invocation,






Containers: K8S API requests from proxy IP address, Digital currency mining container, Kubernetes penetration testing tool, Container with a miner image, Exposed Docker daemon, SSH server is running inside a container, Suspicious request to Kubernetes API



Databases (SQL/Opensource RD/Cosmos) - Log on from an unusual location, Login from a principal user not seen in 60 days, Logon from an unusual cloud provider, Log on from an unusual location, Access from an unusual location to a Cosmos DB account






Azure Resource Manager/Azure Storage: MicroBurst exploitation toolkit used, Storage account identified as source for distribution of malware, Access from a Tor exit node to a storage account, Access from an unusual location to a storage account, Unusual application accessed a storage account, Unusual upload of .cspkg to a storage account, Unusual upload of .exe to a storage account





Detection of Lateral/Persistence Movements across Virtual Machines, App Services, Containers, Azure Resource Manager, Storage Accounts and Network Layer.

Virtual Machines: PsExec execution, Windows registry persistence method, Suspicious Windows Scheduled Task Creation, Access of htaccess file, persistence attempt via startup scripts, suspicious remote file download, suspicious use of the useradd command on Linux, Indicators associated with DDOS toolkit, New SSH key added, Possible malicious web shell, Potential overriding of common files



App Services/Containers Suspicious process name, suspicious file download, CoreDNS modification in Kubernetes, Creation of admission webhook configuration, New container in the kube-system namespace, New high privileges role, Role binding to the cluster-admin role, Suspicious request to the Kubernetes Dashboard,






Resource Manager: Permissions granted for an RBAC role in an unusual way for your Azure environment, Suspicious management session using an inactive account, Suspicious management session using PowerShell, Suspicious management session using Azure portal, Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials,






Storage Accounts: Storage account identified as source for distribution of malware, Potential malware uploaded to a storage account, Unusual change of access permissions, Unusual upload of cspkg, Unusual upload of .exe






Network Layer: Suspicious outgoing RDP network activity, Suspicious outgoing SSH network activity





Detection of activities related to Probing, Preattack, Discovery, Collection on Virtual Machines, App Service, Databases, Azure Resource Manager, Azure Storage and Network Layer.

Virtual Machines: Suspicious authentication activity, Failed SSH brute force attack, Local host reconnaissance, possible local reconnaissance activity






App Service: NMap scanning, Phishing content hosted on Azure Webapps, Vulnerability scanner, Web fingerprinting, Website is tagged as malicious in threat intelligence feed






Databases (SQL/Opensource RD/Cosmos): A possible vulnerability to SQL Injection, Attempted logon by a potentially harmful application, Log on from an unusual Azure Data Center, Login from a suspicious IP, Potential SQL Brute Force attempt, Potential SQL injection, Suspected brute force attack using a valid user,






Resource Manager: PowerZure exploitation toolkit used to enumerate resources, PowerZure exploitation toolkit used to extract Runbooks content, Azurite toolkit run






Azure Storage: Anonymous scan of public storage containers, Phishing content hosted on a storage account, Access from a Tor exit node to a storage account, Unusual access inspection in a storage account, Unusual data exploration in a storage account






Network Layer: Possible incoming brute force attempts detected, Possible outgoing port scanning activity detected, Suspicious incoming RDP network activity from multiple sources, Suspicious incoming RDP network activity, Suspicious incoming SSH network activity from multiple sources, Suspicious outgoing protocol  traffic detected, Suspicious outgoing RDP network activity to multiple destinations, Suspicious outgoing SSH network activity to multiple destinations, Traffic detected from IP addresses recommended for blocking, DDoS Attack detected for Public IP, DDoS Attack mitigated for Public IP





Detection of Exfiltration Attempts from Virtual Machines, App Services, Databases, DNS and Storage Accounts

Virtual Machines: Detected file download from a known malicious source, Possible loss of data, Potential port forwarding to external IP address






App Services/Databases: Suspicious domain name reference, Possible loss of data, Unusual export location, Unusual amount of data extracted from a Cosmos DB account






DNS: Anomalous network protocol usage, Anonymity network activity, Anonymity network activity using web proxy, Attempted communication with suspicious sink holed domain, Communication with possible phishing domain, Communication with suspicious algorithmically generated domain, Communication with suspicious random domain name, Digital currency mining activity, Network intrusion detection signature activation, Possible data download via DNS tunnel, Possible data exfiltration via DNS tunnel, Possible data transfer via DNS tunnel






Storage Accounts: Unusual amount of data extracted from a storage account, unusual deletion in a storage account



Posted at