Learning Path 10 - Lab 1 - Exercise 1 - Perform Threat Hunting in Microsoft Sentinel

Lab scenario

Lab overview.

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You have received threat intelligence about a Command and Control (C2 or C&C) technique. You need to perform a hunt and watch for the threat.

Important: The lab exercises for Learning Path #10 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

The log data created in the Learning Path 9 lab exercises will not be available in this lab without rerunning the following prerequisite tasks.

Estimated time to complete this lab: 45 - 60 minutes

Prerequisite task 1: Connect an On-Premises Server

In this task, you’ll connect an on-premises server to your Azure subscription. Azure Arc was pre-installed on this server. The server will be used in next exercises to run simulated attacks that you will later detect and investigate in Microsoft Sentinel.

Important: The next steps are done on a different machine than the one you were previously working. Look for the Virtual Machine name in the references tab.

As described above, Azure Arc has been pre-installed on the WINServer machine. You will now connect this machine to your Azure subscription.

On the WINServer machine, select the search icon and type cmd.
In search results right click Command Prompt and select Run as administrator.

In the Command Prompt window, type the following command. Do not press enter:

 azcmagent connect -g "defender-RG" -l "EastUS" -s "Subscription ID string"

Replace the Subscription ID string with the Subscription ID provided by your lab hoster (*Resources tab). Make sure to keep the quotes.
Type Enter to run the command (this may take a couple minutes).

Note: If you see the How do you want to open this? browser selection window, select Microsoft Edge.
In the Sign in dialog box, enter your Tenant Email and Tenant Password provided by your lab hosting provider and select Sign in. Wait for the Authentication complete message, close the browser tab and return to the Command Prompt window.
When the commands complete running, leave the Command Prompt window open and type the following command to confirm that the connection was successful:
```
 azcmagent show
```
In the command output, verify that Agent status is Connected.

Prerequisite task 2: Connect a non-Azure Windows Machine

In this task, you’ll add an Azure Arc connected, on-premises machine to Microsoft Sentinel.

Note: Microsoft Sentinel has been predeployed in your Azure subscription with the name defenderWorkspace, and the required Content Hub solutions have been installed.

Login to WIN1 virtual machine as Admin with the password: Pa55w.rd.
In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com.
In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
Select the Microsoft Sentinel defenderWorkspace.
In the Microsoft Sentinel left navigation menu, scroll down to the Configuration section and select Data connectors.
In the Data connectors, search for the Windows Security Events via AMA solution and select it from the list.
On the Windows Security Events via AMA details pane, select Open connector page.

Note: The Windows Security Events solution installs both the Windows Security Events via AMA and the Security Events via Legacy Agent Data connectors. Plus 2 Workbooks, 20 Analytic Rules, and 43 Hunting Queries.
In the Configuration section, under the Instructions tab, select the Create data collection rule.
Enter AZWINDCR for Rule Name, then select Next: Resources.
Expand your Subscription under Scope on the Resources tab.

Hint: You can expand the whole Scope hierarchy by selecting the “>” before the Scope column.
Expand defender-RG Resource Group, then select WINServer.
Select Next: Collect, and leave the All Security Events selected.
Select Next: Review + create.
Select Create after Validation passed is displayed.

Prerequisite task 3: Command and Control Attack with DNS

Copy and run this command to create a script that will simulate a DNS query to a C2 server:
```
 notepad c2.ps1
```

Select Yes to create a new file and copy the following PowerShell script into c2.ps1.

Note: Pasting into the virtual machine file might not show the full script length. Make sure the script matches the instructions within the c2.ps1 file.

 param(
     [string]$Domain = "microsoft.com",
     [string]$Subdomain = "subdomain",
     [string]$Sub2domain = "sub2domain",
     [string]$Sub3domain = "sub3domain",
     [string]$QueryType = "TXT",
     [int]$C2Interval = 8,
     [int]$C2Jitter = 20,
     [int]$RunTime = 240
 )
 $RunStart = Get-Date
 $RunEnd = $RunStart.addminutes($RunTime)
 $x2 = 1
 $x3 = 1 
 Do {
     $TimeNow = Get-Date
     Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
     if ($x2 -eq 3 )
     {
         Resolve-DnsName -type $QueryType $Sub2domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
         $x2 = 1
     }
     else
     {
         $x2 = $x2 + 1
     }    
     if ($x3 -eq 7 )
     {
         Resolve-DnsName -type $QueryType $Sub3domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
         $x3 = 1
     }
     else
     {
         $x3 = $x3 + 1
     }
     $Jitter = ((Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1) +$C2Interval
     Start-Sleep -Seconds $Jitter
 }
 Until ($TimeNow -ge $RunEnd)

In the Notepad menu, select File and then Save.
Go back to the Command Prompt window, enter the following command and press Enter.

Note: You will see DNS resolve errors. This is expected.
```
 Start PowerShell.exe -file c2.ps1
```

Important: Do not close these windows. Let this PowerShell script run in the background. The command needs to generate log entries for some hours. You can proceed to the next task and next exercises while this script runs. The data created by this task will be used in the Threat Hunting lab later. This process will not create substantial amounts of data or processing.

Task 1: Create a hunting query

In this task, you’ll create a hunting query, bookmark a result, and create a Livestream.

Note: Microsoft Sentinel has been predeployed in your Azure subscription with the name defenderWorkspace, and the required Content Hub solutions have been installed.

Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.
In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com.
In the Sign in dialog box, copy and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
Select the Microsoft Sentinel defenderWorkspace.
Select Logs

Enter the following KQL Statement in the New Query 1 space:

Important: Please paste any KQL queries first in Notepad and then copy from there to the New Query 1 Log window to avoid any errors.

 let lookback = 2d; 
 SecurityEvent 
 | where TimeGenerated >= ago(lookback) 
 | where EventID == 4688 and Process =~ "powershell.exe"
 | extend PwshParam = trim(@"[^/\\]*powershell(.exe)+" , CommandLine) 
 | project TimeGenerated, Computer, SubjectUserName, PwshParam 
 | summarize min(TimeGenerated), count() by Computer, SubjectUserName, PwshParam 
 | order by count_ desc nulls last

Review the different results. You have now identified PowerShell requests that are running in your environment.
Select the checkbox of the results that shows the “-file c2.ps1”.
In the Results pane command bar, select the Add bookmark button.
Select + Add new entity under Entity mapping.
For Entity select Host, then Hostname and Computer for the values.
For Tactics and Techniques, select Command and Control.
In the Add bookmark blade, select Create. We will map this bookmark to an incident later.
Close the Logs window by selecting the X in the top-right of the window and select OK to discard the changes.
Select your Microsoft Sentinel workspace again and select the Hunting page under the Threat Management area.
Select the Queries tab and then + New Query from the command bar.
In the Create custom query window, for the Name enter PowerShell Hunt.

For the Custom query enter the following KQL statement:

 let lookback = 2d; 
 SecurityEvent 
 | where TimeGenerated >= ago(lookback) 
 | where EventID == 4688 and Process =~ "powershell.exe"
 | extend PwshParam = trim(@"[^/\\]*powershell(.exe)+" , CommandLine) 
 | project TimeGenerated, Computer, SubjectUserName, PwshParam 
 | summarize min(TimeGenerated), count() by Computer, SubjectUserName, PwshParam 
 | order by count_ desc nulls last

Scroll down and under Entity mapping select:
- For the Entity type drop-down list select Host.
- For the Identifier drop-down list select HostName.
- For the Value drop-down list select Computer.
Scroll down and under Tactics & Techniques select Command and Control and then select Create to create the hunting query.
In the “Microsoft Sentinel - Hunting” blade, search for the query you just created in the list, PowerShell Hunt.
Select PowerShell Hunt from the list.
Review the number of results in the middle pane under the Results column.
Select the View Results button from the right pane. The KQL query will automatically run.
Close the Logs window by selecting the X in the top-right of the window and select OK to discard the changes.
Right-click the PowerShell Hunt query and select Add to livestream. Hint: This also can be done by sliding right and selecting the ellipsis (…) at the end of the row to open a context menu.
Review that the Status is now Running. This is running every 30 seconds in the background and you’ll receive a notification in the Azure portal (bell icon) when a new result is found.
Select the Bookmarks tab in the middle pane.
Select the bookmark you created from the results list.
On the right pane, scroll down and select the Investigate button. Hint: It might take a couple of minutes to show the investigation graph.
Explore the Investigation graph just like you did in the previous module. Notice the high number of Related alerts for WINServer.
Close the Investigation graph window by selecting the X in the top-right of the window.
Hide the right blade by selecting the » icon and then scroll right until you see the ellipsis (…) icon.
Select Add to existing incident. All the incidents appear in the right pane.
Select one of the incidents and then select Add.
Scroll left to notice that the Severity column is now populated with the incident’s data.

Task 2: Create an NRT query rule

In this task, instead of using a LiveStream, you’ll create an NRT analytics query rule. NRT rules run every minute and lookback one minute. The benefit to NRT rules are they can use the alert and incident creation logic.

Select the Analytics page under Configuration in Microsoft Sentinel.
Select the Create tab, then NRT query rule.

This starts the “Analytics rule wizard”. For the General tab type:

Setting	Value
Name	NRT PowerShell Hunt
Description	NRT PowerShell Hunt
Tactics	Command and Control
Severity	High

Select Next: Set rule logic > button.

For the Rule query enter the following KQL statement:

 let lookback = 2d; 
 SecurityEvent 
 | where TimeGenerated >= ago(lookback) 
 | where EventID == 4688 and Process =~ "powershell.exe"
 | extend PwshParam = trim(@"[^/\\]*powershell(.exe)+" , CommandLine) 
 | project TimeGenerated, Computer, SubjectUserName, PwshParam 
 | summarize min(TimeGenerated), count() by Computer, SubjectUserName, PwshParam

Select View query results > to make sure your query doesn’t have any errors.
Close the Logs window by selecting the X in the top-right of the window and select OK to discard the changes.
Select Test with current data under Results simulation. Notice the expected number of Alerts per day.
Under Entity mapping select:
- For the Entity type drop-down list select Host.
- For the Identifier drop-down list select HostName.
- For the Value drop-down list select Computer.
Scroll down and select Next: Incident settings> button.
For the Incident settings tab, leave the default values and select the Next: Automated Response > button.
On the Automated response tab, select the Next: Review and create > button.
On the Review and create tab, select the Save button to create and save the new Scheduled Analytics rule.

Task 3: Create a Search job

In this task, you’ll use a Search job to look for a C2.

Note: The Restore operation incurs costs that can deplete your Azure subscription credits. For that reason, you won’t be performing the restore operation in this lab. However, you can follow the steps below to perform the restore operation in your own environment.

Select the Search page under General in Microsoft Sentinel.
In the search box, enter reg.exe and then select Start.
A new window running the query opens. Select the ellipsis icon (…) from the top right and then toggle the Search job mode.
Select Search job button from the command bar.
The search job creates a new table with your results as soon as they arrive. The results can be consulted from the Saved Searches tab.
Close the Logs window by selecting the X in the top-right of the window and select OK to discard the changes.
Select the Restoration tab from the command bar and then the Restore button.
Under Select a table to restore, search for and select SecurityEvent.
Review the options available and then select the Cancel button.

Note: If you were running the job, the restore would run for a couple of minutes and your data would be available in a new table.

Task 4: Create a hunt that combines multiple queries into a MITRE tactic

The MITRE ATT&CK map helps you identify specific gaps in your detection coverage. Use predefined hunting queries for specific MITRE ATT&CK techniques as a starting point to develop new detection logic.
In Microsoft Sentinel, expand Threat management from the left navigation menus.
Select MITRE ATT&CK (Preview).
Unselect items in the Active rules drop-down menu.
Select Hunting queries in the Simulated rules filter to see which techniques have hunting queries associated with them.
Select the card for Account Manipulation.
In the details pane, locate Simulated coverage and select the View link next to Hunting queries.
This link takes you to a filtered view of the Queries tab on the Hunting page based on the technique you selected.
Select all the queries for that technique by selecting the box near the top of the list on the left.
Select the Hunt actions drop down menu near the middle of the screen above the filters.
Select Create new hunt. All the queries you selected are cloned for this new hunt.
Fill out the hunt name and optional fields. The description is a good place to verbalize your hypothesis. The Hypothesis pull down menu is where you set the status of your working hypothesis.
Select Create to get started.
Select the Hunts (Preview) tab to view your new hunt.
Select the hunt link by name to view the details and take actions.
View the details pane with the Hunt name, Description, Content, Last update time, and Creation time.
Select all of the queries by using the box next to the Query column.
Either select Run selected queries or uncheck the selected rows and right click and Run a single query.
You can also select a single query and select View results in the details pane.
Review which queries returned results.
Based on the results, determine if there’s enough strong evidence to validate the hypothesis. If there isn’t, close the Hunt and mark it as invalidated.
Alternative Steps:
- Go to Microsoft Sentinel.
- Expand Threat management.
- Choose Hunting.
- Select ‘add filter’.
- Set the filter to tactics: persistence.
- Add another filter.
- Set the second filter to have techniques: T1098.