Tutorial: Gathering vulnerability intelligence

In this tutorial, you will learn how to:

  • Learn about Microsoft Defender Threat Intelligence (Defender TI)’s Threat Intelligence Home Page features
  • Perform several types of indicator searches to gather vulnerability intelligence

ti Overview Home Page Chrome Screenshot

Prerequisites

  • A Microsoft Entra ID or personal Microsoft account. Login or create an account

  • A Microsoft Defender Threat Intelligence (Defender TI) Premium license.

    Note

    Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

Disclaimer

Microsoft Defender Threat Intelligence (Defender TI) may include live, real-time observations and threat indicators, including malicious infrastructure and adversary-threat tooling. Any IP and domain searches within our Defender TI platform are safe to search. Microsoft will share online resources (e.g., IP addresses, domain names) that should be considered real threats posing a clear and present danger. We ask that users use their best judgment and minimize unnecessary risk while interacting with malicious systems when performing the tutorial below. Please note that Microsoft has worked to minimize risk by defanging malicious IP addresses, hosts, and domains.

Before You Begin

As the disclaimer states above, suspicious, and malicious indicators have been defanged for your safety. Please remove any brackets from IPs, domains, and hosts when searching in Defender TI. Do not search these indicators directly in your browser.

Open Defender TI’s Threat Intelligence Home Page

Learn about Defender TI’s Threat Intelligence Home Page features

  1. Review the Search bar options by selecting the search bar and clicking on the All drop-down option.

    Tutorial Vulnerability Intel Search Bar

  2. Review the featured articles and articles within the Threat Intelligence Home Page.

    Tutorial Vulnerability Intel Articles

Perform several types of indicator searches to gather vulnerability intelligence

  1. Search ‘CVE-2020-1472' and review the associated vulnerability article, ‘CVE-2020-1472'.

    Screen Shot 2022-08-03 at 3 46 21 PM

  2. The "Related Articles" tab displays the article titled ‘RiskIQ detections into components and indicators related to FireEye’s breach disclosure and countermeasures’. Click on the article to investigate.

    Tutorial Vulnerability Intel Fire Eye Breach Article

  3. Review the article’s public indicators.

    Tutorial Vulnerability Intel Fire Eye Breach Article Indicators

  4. Search ‘173.234.155[.]208’ IP address in the Threat Intelligence Search bar.

    Tutorial Vulnerability Intel Ip Search

  5. Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, and projects.

    Tutorial Vulnerability Intel Ip Summary Tab

  6. Navigate to the Data tab and review the data and intelligence data sets: resolutions, Whois, certificates, trackers, components, cookies, services, dns, and articles.

    Tutorial Vulnerability Intel Ip Review

    Tutorial Vulnerability Intel Ip Article

  7. Navigate back to the Resolutions data blade and pivot on ‘myaeroplan[.]com’.

    Tutorial Vulnerability Intel Domain Pivot

  8. Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, cookies, DNS, and reverse DNS data sets.

    Tutorial Vulnerability Intel Domain Review

  9. Take note of the following artifacts from steps 5 and 7:

       
    Whois Address 1928 E. Highland Ave. Ste F104 PMB# 255
    Whois City phoenix
    Whois State az
    Whois Postal Code 85016
    Whois Country United States
    Whois Phone 13478717726
    Whois Nameserver ns0.1984[.]is
    Whois Nameserver ns1.1984[.]is
    Whois Nameserver ns2.1984[.]is
    Whois Nameserver ns1.1984hosting[.]com
    Whois Nameserver ns2.1984hosting[.]com
    Certificate Sha1 ead5b033ed4fd342261f389f0930aa7de1fba33d
    Certificate Serial Number 236976486488328334603103229327145294996
    Certificate Issuer Common Name COMODO RSA Domain Validation Secure Server CA
    Certificate Subject Common Name myaeroplan[.]com
    Certificate Subject Alternative Name myaeroplan[.]com
    Certificate Subject Alternative Name www.myaeroplan[.]com
    Tracker type MarkOfTheWebSourceHost
    Tracker value www.aeroplan.com
    Component Name + Version Apache (v2.4.29)
    Cookie Name PHPSESSID
    Cookie Domain myaeroplan[.]com
    Threat Articles Points Guys: Aeroplan Frequent Flyer Program Credential Harvesting Campaign
  10. Perform the respective artifact searches from step 8. Note: You’ll want to reference the search options you learned from the Learn about Defender TI’s Threat Intelligence Home Page features section.

Clean up resources

There are no resources to clean up in this section.