Tutorial: Gathering vulnerability intelligence
In this tutorial, you will learn how to:
- Learn about Microsoft Defender Threat Intelligence (Defender TI)’s Threat Intelligence Home Page features
- Perform several types of indicator searches to gather vulnerability intelligence
A Microsoft Entra ID or personal Microsoft account. Login or create an account
A Microsoft Defender Threat Intelligence (Defender TI) Premium license.
Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.
Microsoft Defender Threat Intelligence (Defender TI) may include live, real-time observations and threat indicators, including malicious infrastructure and adversary-threat tooling. Any IP and domain searches within our Defender TI platform are safe to search. Microsoft will share online resources (e.g., IP addresses, domain names) that should be considered real threats posing a clear and present danger. We ask that users use their best judgment and minimize unnecessary risk while interacting with malicious systems when performing the tutorial below. Please note that Microsoft has worked to minimize risk by defanging malicious IP addresses, hosts, and domains.
Before You Begin
As the disclaimer states above, suspicious, and malicious indicators have been defanged for your safety. Please remove any brackets from IPs, domains, and hosts when searching in Defender TI. Do not search these indicators directly in your browser.
Open Defender TI’s Threat Intelligence Home Page
- Access the Defender Threat Intelligence Portal.
- Complete Microsoft authentication to access portal.
Learn about Defender TI’s Threat Intelligence Home Page features
Review the Search bar options by selecting the search bar and clicking on the All drop-down option.
Review the featured articles and articles within the Threat Intelligence Home Page.
Perform several types of indicator searches to gather vulnerability intelligence
Search ‘CVE-2020-1472' and review the associated vulnerability article, ‘CVE-2020-1472'.
The "Related Articles" tab displays the article titled ‘RiskIQ detections into components and indicators related to FireEye’s breach disclosure and countermeasures’. Click on the article to investigate.
Review the article’s public indicators.
Search ‘173.234.155[.]208’ IP address in the Threat Intelligence Search bar.
Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, and projects.
Navigate to the Data tab and review the data and intelligence data sets: resolutions, Whois, certificates, trackers, components, cookies, services, dns, and articles.
Navigate back to the Resolutions data blade and pivot on ‘myaeroplan[.]com’.
Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, cookies, DNS, and reverse DNS data sets.
Take note of the following artifacts from steps 5 and 7:
Whois Address 1928 E. Highland Ave. Ste F104 PMB# 255 Whois City phoenix Whois State az Whois Postal Code 85016 Whois Country United States Whois Phone 13478717726 Whois Nameserver ns0.1984[.]is Whois Nameserver ns1.1984[.]is Whois Nameserver ns2.1984[.]is Whois Nameserver ns1.1984hosting[.]com Whois Nameserver ns2.1984hosting[.]com Certificate Sha1 ead5b033ed4fd342261f389f0930aa7de1fba33d Certificate Serial Number 236976486488328334603103229327145294996 Certificate Issuer Common Name COMODO RSA Domain Validation Secure Server CA Certificate Subject Common Name myaeroplan[.]com Certificate Subject Alternative Name myaeroplan[.]com Certificate Subject Alternative Name www.myaeroplan[.]com Tracker type MarkOfTheWebSourceHost Tracker value www.aeroplan.com Component Name + Version Apache (v2.4.29) Cookie Name PHPSESSID Cookie Domain myaeroplan[.]com Threat Articles Points Guys: Aeroplan Frequent Flyer Program Credential Harvesting Campaign
Perform the respective artifact searches from step 8. Note: You’ll want to reference the search options you learned from the Learn about Defender TI’s Threat Intelligence Home Page features section.
Clean up resources
There are no resources to clean up in this section.