跨裝置、電子郵件、應用程式和身分識別搜捕威脅

  • 發行項

適用於:

  • Microsoft Defender XDR

Microsoft Defender 全面偵測回應 中的進階搜捕可讓您主動搜捕威脅:

  • 由 適用於端點的 Microsoft Defender管理的裝置
  • Microsoft 365 所處理的電子郵件
  • Microsoft Defender for Cloud Apps和 適用於身分識別的 Microsoft Defender 追蹤的雲端應用程式活動、驗證事件和域控制器活動

透過此層級的可見度,您可以快速搜捕周遊網路各區段的威脅,包括抵達電子郵件或 Web 的複雜入侵、提高本機許可權、取得特殊許可權網域認證,以及橫向移至您的裝置。

以下是以各種搜捕案例為基礎的一般技術和範例查詢,可協助您探索如何在搜捕這類複雜的威脅時建構查詢。

取得實體資訊

使用這些查詢來瞭解如何快速取得用戶帳戶、裝置和檔案的相關信息。

從電子郵件地址取得使用者帳戶

涵蓋裝置和電子郵件的表格建立查詢時,您可能需要取得寄件者或收件者電子郵件地址的使用者帳戶名稱。 您通常可以使用來自電子郵件位址的 本機主機 ,針對收件者或寄件者位址執行此動作。

在下列代碼段中,我們會使用 tostring () Kusto 函式,直接 @ 從 數據行中的 RecipientEmailAddress收件者電子郵件地址擷取本機主機。

//Query snippet showing how to extract the account name from an email address
AccountName = tostring(split(RecipientEmailAddress, "@")[0])

下列查詢顯示如何使用此代碼段:

EmailEvents
| where Timestamp > ago(7d)
| project RecipientEmailAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);

合併 IdentityInfo 數據表

您可以藉由合併或加入 IdentityInfo 資料表來取得帳戶名稱和其他帳戶資訊。 下列查詢會從 EmailEvents 數據表 取得網路釣魚和惡意代碼偵測的清單,然後將該資訊與 IdentityInfo 數據表聯結,以取得每個收件者的詳細資訊。

EmailEvents
| where Timestamp > ago(7d)
//Get email processing events where the messages were identified as either phishing or malware
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
//Merge email events with identity info to get recipient details
| join (IdentityInfo | distinct AccountUpn, AccountDisplayName, JobTitle,
Department, City, Country) on $left.RecipientEmailAddress == $right.AccountUpn
//Show important message and recipient details
| project Timestamp, NetworkMessageId, Subject, ThreatTypes,
SenderFromAddress, RecipientEmailAddress, AccountDisplayName, JobTitle,
Department, City, Country

觀看這段短片,瞭解如何使用 Kusto 查詢語言 聯結數據表。

取得裝置資訊

階搜捕架構 在各種數據表中提供廣泛的裝置資訊。 例如, DeviceInfo 數據表 會根據定期匯總的事件數據,提供完整的裝置資訊。 此查詢會使用數據 DeviceInfo 表來檢查可能遭入侵的使用者 (<account-name>) 是否已登入任何裝置,然後列出在這些裝置上觸發的警示。

提示

此查詢會使用 kind=inner 來指定 內部聯結,以防止重複資料刪除的左側值 DeviceId

DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category

取得檔案事件資訊

使用下列查詢來取得檔案相關事件的相關信息。

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

取得網路事件資訊

使用下列查詢來取得網路相關事件的相關信息。

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

取得裝置代理程式版本資訊

使用下列查詢來取得在裝置上執行的代理程式版本。

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

macOS 裝置的範例查詢

使用下列範例查詢來查看所有執行macOS且版本早於Catalina的裝置。

DeviceInfo
| where Timestamp > ago(1d)
| where OSPlatform == "macOS" and  OSVersion !contains "10.15" and OSVersion !contains "11."
| summarize by DeviceId
| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

取得裝置狀態資訊

使用下列查詢來取得裝置的狀態。 在下列範例中,查詢會檢查裝置是否已上線。

DeviceInfo
| where Timestamp > ago(1d)
| where OnboardingStatus != "Onboarded"
| summarize by DeviceId
| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

搜捕案例

列出接收未成功收到電子郵件之使用者的登入活動

零時差自動清除 (ZAP) 在收到惡意電子郵件之後加以尋址。 如果 ZAP 失敗,惡意代碼最終可能會在裝置上執行,並使帳戶遭到入侵。 此查詢會檢查 ZAP 未成功尋址的電子郵件收件者所進行的登入活動。

EmailPostDeliveryEvents
| where Timestamp > ago(7d)
//List malicious emails that were not zapped successfully
| where ActionType has "ZAP" and ActionResult == "Error"
| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType

取得認證竊取目標網域帳戶的登入嘗試

此查詢會先識別數據表中 AlertInfo 的所有認證存取警示。 然後,它會合併或聯結 AlertEvidence 數據表,它會剖析目標帳戶的名稱,並只篩選已加入網域的帳戶。 最後,它會檢查數據表, IdentityLogonEvents 以依已加入網域的目標帳戶取得所有登入活動。

AlertInfo
| where Timestamp > ago(30d)
//Get all credential access alerts
| where Category == "CredentialAccess"
//Get more info from AlertEvidence table to get the SID of the target accounts
| join AlertEvidence on AlertId
| extend IsJoined=(parse_json(AdditionalFields).Account.IsDomainJoined)
| extend TargetAccountSid=tostring(parse_json(AdditionalFields).Account.Sid)
//Filter for domain-joined accounts only
| where IsJoined has "true"
//Merge with IdentityLogonEvents to get all logon attempts by the potentially compromised target accounts
| join kind=inner IdentityLogonEvents on $left.TargetAccountSid == $right.AccountSid
//Show only pertinent info, such as account name, the app or service, protocol, the accessed device, and type of logon
| project AccountDisplayName, TargetAccountSid, Application, Protocol, DeviceName, LogonType

檢查裝置上是否有來自已知惡意寄件者的檔案

假設您知道傳送惡意檔案的電子郵件位址 (MaliciousSender@example.com) ,您可以執行此查詢來判斷此寄件者中的檔案是否存在於您的裝置上。 例如,您可以使用此查詢來識別受惡意代碼發佈活動影響的裝置。

EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
//Get emails with attachments identified by a SHA-256
| where isnotempty(SHA256)
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId,  NetworkMessageId, SenderFromAddress, RecipientEmailAddress

在收到惡意電子郵件後檢閱登入嘗試

此查詢會在收到已知的惡意電子郵件後,尋找 30 分鐘內由電子郵件收件者執行的最近 10 次登入。 您可以使用此查詢來檢查電子郵件收件者的帳戶是否遭入侵。

//Define new table for malicious emails
let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10

在收到已知惡意寄件者的電子郵件後檢閱 PowerShell 活動

惡意電子郵件通常包含文件和其他精心設計的附件,以執行 PowerShell 命令來提供額外的承載。 如果您知道來自已知惡意發件者 MaliciousSender@example.com () 的電子郵件,您可以使用此查詢來列出並檢閱從寄件者收到電子郵件后 30 分鐘內發生的 PowerShell 活動。

//Define new table for emails from specific sender
let EmailsFromBadSender=EmailEvents
| where SenderFromAddress =~ "MaliciousSender@example.com"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
//Merge emails from sender with process-related events on devices
EmailsFromBadSender
| join (
DeviceProcessEvents
//Look for PowerShell activity
| where FileName =~ "powershell.exe"
//Add line below to check only events initiated by Outlook
//| where InitiatingProcessParentFileName =~ "outlook.exe"
| project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine
) on AccountName
//Check only PowerShell activities within 30 minutes of receipt of an email
| where (TimeProc - TimeEmail) between (0min.. 30min)

提示

想要深入了解? Engage 技術社群中的 Microsoft 安全性社群:Microsoft Defender 全面偵測回應 技術社群。