[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: RE: [patchmanagement] Windows Defender ATP - "ask a threat expert"
From: "Heaton, Joseph () Wildlife" <Joseph ! Heaton () wildlife ! ca ! gov>
Date: 2019-02-28 23:34:49
Message-ID: MW2PR0901MB24118857A26D0049D46A0383AA750 () MW2PR0901MB2411 ! namprd09 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
Anyone here running E5/G5 licenses, and using Defender ATP? My ISO is looking really \
hard at upgrading, but it carries a REALLY big pricetag.
From: Susan E Bradley <sb@askwoody.com>
Sent: Thursday, February 28, 2019 2:15 PM
To: Patch Management Mailing List <patchmanagement@listserv.patchmanagement.org>
Subject: [patchmanagement] Windows Defender ATP - "ask a threat expert"
Note from Susan:
For those of you with Windows E5/Microsoft E5 subscriptions, run do not walk to the \
Defender ATP console - dashboard - threat analytics.
I love this stuff they post up there, but I can't find an external link for it so I'm \
sharing it here. The one I've copied below is too good not to share and to showcase \
why I love the E5 license because of the security information shared in it.
As we are getting close to RSA the security releases are coming:
https://azure.microsoft.com/en-us/services/azure-sentinel/<https://na01.safelinks.prot \
ection.outlook.com/?url=https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Fazure-s \
entinel%2F&data=02%7C01%7Cjoseph.heaton%40wildlife.ca.gov%7C2bae9f2d310a4d59bb7608d69d \
cc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0%7C636869898327244181&sdata=jNooPaHK%2FNqen9vdDKjT6%2BfMkpB6TvPVQ8MZFG7mJ3k%3D&reserved=0> \
Logging as a service
https://www.zdnet.com/article/microsofts-new-cloud-security-tools-aim-to-reduce-alert- \
fatigue/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.zdnet.co \
m%2Farticle%2Fmicrosofts-new-cloud-security-tools-aim-to-reduce-alert-fatigue%2F&data= \
02%7C01%7Cjoseph.heaton%40wildlife.ca.gov%7C2bae9f2d310a4d59bb7608d69dcc58ba%7C4b633c2 \
5efbf40069f1507442ba7aa0b%7C0%7C0%7C636869898327254182&sdata=i3RfzLjciuoG67gqJbEgthIBUe%2FgtEUwUoSmY5Eh1h0%3D&reserved=0>
The "ask a threat expert" service offering is in preview only and you can apply for \
the preview, will be a (as I understand it) a premier support contract offering. But \
for those of us in the cheaper seats, even a single Windows E5/Microsoft 365 E5 gives \
you the ability to see ATP on one machine in action and the goodness of the Threat \
analytics information .... like the one below: If you think they are out to get you, \
trust me they really ARE out to get you:
Takeaways:
Mitigations
Apply these mitigations to reduce the impact of this threat. Check the \
recommendations card for the deployment status of monitored mitigations.
* Use cloud authentication capabilities in Azure Active Directory, such as smart \
lockout and IP lockout to actively block authentication attacks, including password \
spraying attacks.
* Use multi-factor authentication to mitigate successful password-spraying \
attacks. Keep MFA always-on MFA for privileged accounts and apply risk-based MFA for \
normal accounts. Consider transitioning to a passwordless primary authentication \
method, such as Azure MFA, certificates, or Windows Hello for \
Business.
* Periodically review your Office 365 audit log for admin activity related to \
account management. In particular, look for unexpected users being added certain \
critical role groups, including the Exchange Organization Administrators or the \
Organization Management roles.
* Search the network for legacy on-premise Exchange Server or Active Directory \
Federation Services (ADFS) systems. To better protect such systems:
* Block legacy authentication from the extranet.
* Enable ADFS Web Application Proxy Extranet Lockout.
* Deploy Azure AD Connect Health for ADFS for improved logging and monitoring.
==========================================
MailSniper Exchange attack tool
Executive summary
Due to improved endpoint protection capabilities, defenders of properly instrumented \
networks are more and more likely to detect reconnaissance, privilege escalation, \
credential theft, and use of stolen credentials. In response, attackers are \
attempting to minimize their presence on endpoints and are collecting data from cloud \
services. Using a tool such as MailSniper, attackers can stealthily acquire \
privileged perimeter credentials and then gather sensitive data while reducing their \
risk of discovery.
MailSniper is a penetration testing tool freely available on GitHub under the GNU \
General Public License. It provides attackers with several capabilities for \
interacting with Microsoft Exchange, whether an on-premises Exchange Server or \
Exchange Online in Office 365, and perform reconnaissance, exfiltration, and \
credential theft. Depending on what attackers are able to discover, the information \
gained through these activities may be used to move laterally in the network or to \
access specific network resources directly.
This focus on accessing user data as well as cloud resources and their management \
tools deviates from traditional attack scenarios involving lateral movement and \
elevation of privilege. It highlights a blind spot in the monitoring strategy of many \
organizations, where education about the available logging capabilities and hardening \
might not have been a focus during the shift to cloud infrastructure.
Analysis
When attackers breach a victim's network, many scenarios revolve around identifying \
and leveraging targets relevant to their goals, such as privileged user accounts, \
trust relationships, and repositorites of sensitive data. For example, if an attacker \
wishes to steal proprietary research from an engineering company, they might need to:
* Locate where such information resides, such as network shares
* Enumerate users with access to the information
* Steal credentials that will enable access
* Use the credentials to exfiltrate the information
MailSniper's core functionality connects to Microsoft Exchange and enables searching \
within emails—attackers often search for keywords related to authentication, such \
as "pass*" and "creds". Additional capabilities in MailSniper modules lets attackers:
* Collect user data from the Global Address List (GAL)
* Collect lists of folders from specific mailboxes
* Harvest valid domains and usernames from Outlook Web Access (OWA)
* Harvest valid Active Directory usernames from Exchange Web Services (EWS)
* Test access to specific mailboxes
* Mount password-spraying attacks against OWA and EWS portals
[cid:image001.png@01D4CF7B.22EB9AE0]
To use MailSniper effectively, an attacker must first possess valid, plaintext \
credentials belonging to an Exchange user. An attacker can use MailSniper to mount \
password-spraying attacks—slow, measured attempts to use a few common, weak \
passwords across many accounts. This technique avoids triggering detection thresholds \
and account lockouts, and can be executed remotely.
For an attacker that already has access to a compromised computer, techniques that \
merely abuse authentication weaknesses, such as pass-the-hash or pass-the-ticket \
attacks, are not relevant. However, other techniques can furnish an attacker with \
valid credentials:
* An attacker can use common penetration testing tools such as Mimikatz and \
PowerSploit to collect password hashes and Kerberos tickets from memory, followed by \
bruteforce attacks.
* As a stealthy alternative, tools such as SpiderLabs Responder can force a \
connection to a "rogue" SMB server by poisoning Link-Local Multicast Name Resolution \
(LLMNR) and NetBios Name Service (NBT-NS) responses, which may \
disclose credentials.
* Enabling the WDigest protocol, causing Windows to store plaintext credentials \
in memory.
* If the domain's password policy allows passwords to be stored using reversible \
encryption, attackers can check the publicly-accessible SYSVOL share on the domain \
controller for credentials, which can be decrypted with a publicly-known 32-bit AES \
key.
Once valid credentials are obtained, an attacker may use MailSniper's \
Invoke-SelfSearch module to search the user's mailbox for emails containing cleartext \
credentials. These may then be used elsewhere as the attacker moves laterally \
throughout the network.
In order to search multiple mailboxes, the attacker must first gain access to a user \
account that belongs to an administrative role group in the Office 365 tenant. \
Exchange Organization Administrators and Organization Management are some of the \
administrative role groups that exist by default, but tenant administrators can \
create arbitrary roles with the necessary rights.
To enumerate these roles, the attacker can use the Get-ManagementRoleAssignment \
cmdlet included in the Exchange PowerShell module, and then use the techniques \
described earlier to compromise the right credentials.
With management role credentials in hand, the attacker may use MailSniper's \
Invoke-GlobalMailSearch module to search for credentials across multiple mailboxes. \
Invoke-GlobalMailSearch grants the ApplicationImpersonation role to a user account, \
so it can access resources tied to another account without requiring credentials, \
effectively impersonating each user in turn.
Mitigations
Apply these mitigations to reduce the impact of this threat. Check the \
recommendations card for the deployment status of monitored mitigations.
* Use cloud authentication capabilities in Azure Active Directory, such as smart \
lockout and IP lockout to actively block authentication attacks, including password \
spraying attacks.
* Use multi-factor authentication to mitigate successful password-spraying \
attacks. Keep MFA always-on MFA for privileged accounts and apply risk-based MFA for \
normal accounts. Consider transitioning to a passwordless primary authentication \
method, such as Azure MFA, certificates, or Windows Hello for \
Business.
* Periodically review your Office 365 audit log for admin activity related to \
account management. In particular, look for unexpected users being added certain \
critical role groups, including the Exchange Organization Administrators or the \
Organization Management roles.
* Search the network for legacy on-premise Exchange Server or Active Directory \
Federation Services (ADFS) systems. To better protect such systems:
* Block legacy authentication from the extranet.
* Enable ADFS Web Application Proxy Extranet Lockout.
* Deploy Azure AD Connect Health for ADFS for improved logging and monitoring.
Detection details
Endpoint detection and response (EDR)
Alerts with the following titles in the Windows Defender Security Center portal can \
indicate active use of this tool on a machine in your network:
* Global mail search on Exchange using MailSniper
* Exchange mailbox or mail folder search using MailSniper
* Enumeration of Active Directory usernames using MailSniper
* Enumeration of the Exchange GAL using MailSniper
* Access to Exchange inboxes using MailSniper
* Password spraying using MailSniper
* Enumeration of domains and user accounts using MailSniper
Advanced hunting
To locate possible exploitation activity, run the following query:
let dateRange = ago(10d);
//
let whoamiProcess = ProcessCreationEvents
> where ProcessCreationTime >= dateRange
> where FileName =~ 'whoami.exe' and InitiatingProcessParentFileName =~ \
> 'powershell.exe'
> project MachineId, whoamiTime = ProcessCreationTime, whoamiProcessName = FileName,
whoamiParentName = InitiatingProcessParentFileName, whoamiParentPID = \
InitiatingProcessParentId;
//
let netProcess = ProcessCreationEvents
> where ProcessCreationTime >= dateRange
> where FileName =~ 'net.exe' and InitiatingProcessParentFileName =~ 'powershell.exe'
> project MachineId, netTime = ProcessCreationTime, ProcessCreationTime = FileName,
netParentName = InitiatingProcessParentFileName, netParentPID = \
InitiatingProcessParentId;
//
let mailServerEvents = NetworkCommunicationEvents
> where EventTime >= dateRange
> where InitiatingProcessFileName =~ 'powershell.exe'
> where RemoteUrl contains 'onmicrosoft.com'
or RemoteUrl contains 'outlook.com'
> project MachineId, mailTime = EventTime, mailProcessName = \
> InitiatingProcessFileName,
mailPID = InitiatingProcessId;
//
mailServerEvents
> join netProcess on MachineId
> where netParentPID == mailPID and netParentName == mailProcessName
> join whoamiProcess on MachineId
> where whoamiParentPID == mailPID and whoamiParentName == mailProcessName
> where netTime < mailTime + 4h and netTime > mailTime - 4h
> where whoamiTime < mailTime + 4h and whoamiTime > mailTime - 4h
> project MachineId, EstimatedIncidentTime = mailTime, ProcessName = mailProcessName,
ProcessID = mailPID
The provided query checks events from the past ten days. Change dateRange to focus on \
a different period.
References
* MailSniper<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith \
ub.com%2Fdafthack%2FMailSniper&data=02%7C01%7Cjoseph.heaton%40wildlife.ca.gov%7C2bae9f \
2d310a4d59bb7608d69dcc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0%7C636869898327264191&sdata=mEJj3oulRnCtRKVdMrlZ9r1ftu2Bs7FOt4l0fykalcE%3D&reserved=0>. \
DaftHack on Github (accessed 2019-02-20)
* Get-ManagementRole<https://na01.safelinks.protection.outlook.com/?url=https%3A%2 \
F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Frole-based-access-co \
ntrol%2Fget-managementrole%3Fview%3Dexchange-ps&data=02%7C01%7Cjoseph.heaton%40wildlif \
e.ca.gov%7C2bae9f2d310a4d59bb7608d69dcc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0 \
%7C636869898327264191&sdata=lQ9NisLBG3UPdIcwXtE5QU8H32D5JTN8DHVZamolG%2Fs%3D&reserved=0>. \
Microsoft (2019-02-21)
* Azure AD and ADFS best practices: Defending against password spray \
attacks<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft \
.com%2Fen-us%2Fmicrosoft-365%2Fblog%2F2018%2F03%2F05%2Fazure-ad-and-adfs-best-practice \
s-defending-against-password-spray-attacks%2F&data=02%7C01%7Cjoseph.heaton%40wildlife. \
ca.gov%7C2bae9f2d310a4d59bb7608d69dcc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0%7 \
C636869898327274205&sdata=R%2FQ9x%2FEpvrfFi7vusNsgFQ4C0NvE%2F%2BQWzu39aXxOet0%3D&reserved=0>. \
Microsoft (2019-02-21)
Change log
2019-02-23 05:00 UTC | Entry created
---
PatchManagement.org is hosted by Shavlik
The content on the email list is intended for assisting administrators. If you would \
like to use any of this content in a blog or media publication, please contact the \
owners of the list for approval.
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
h5
{mso-style-priority:9;
mso-style-link:"Heading 5 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-style:italic;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.Heading5Char
{mso-style-name:"Heading 5 Char";
mso-style-priority:9;
mso-style-link:"Heading 5";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:411507294;
mso-list-template-ids:1545100398;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:947353209;
mso-list-template-ids:-1503491528;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1556816544;
mso-list-template-ids:217637074;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1570071689;
mso-list-template-ids:1394784950;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:1600259059;
mso-list-template-ids:1869021058;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:1640375865;
mso-list-template-ids:65013440;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:2140953284;
mso-list-template-ids:-1860798648;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Anyone here running E5/G5 \
licenses, and using Defender ATP? My ISO is looking really hard at upgrading, \
but it carries a REALLY big pricetag.<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span \
style="color:windowtext"> Susan E Bradley <sb@askwoody.com> <br>
<b>Sent:</b> Thursday, February 28, 2019 2:15 PM<br>
<b>To:</b> Patch Management Mailing List \
<patchmanagement@listserv.patchmanagement.org><br> <b>Subject:</b> \
[patchmanagement] Windows Defender ATP - "ask a threat \
expert"<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Note from Susan:<o:p></o:p></p>
<p>For those of you with Windows E5/Microsoft E5 subscriptions, run do not walk to \
the Defender ATP console - dashboard - threat analytics. <o:p></o:p></p>
<p>I love this stuff they post up there, but I can't find an external link for it so \
I'm sharing it here. The one I've copied below is too good not to share and to \
showcase why I love the E5 license because of the security information shared in \
it.<o:p></o:p></p> <p>As we are getting close to RSA the security releases are \
coming:<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="color:#1F497D"><a \
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fazure.microsoft \
.com%2Fen-us%2Fservices%2Fazure-sentinel%2F&data=02%7C01%7Cjoseph.heaton%40wildlif \
e.ca.gov%7C2bae9f2d310a4d59bb7608d69dcc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0 \
%7C636869898327244181&sdata=jNooPaHK%2FNqen9vdDKjT6%2BfMkpB6TvPVQ8MZFG7mJ3k%3D& \
;reserved=0">https://azure.microsoft.com/en-us/services/azure-sentinel/</a> \
Logging as a service</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br> <span \
style="color:#1F497D"><a \
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.zdnet.com%2 \
Farticle%2Fmicrosofts-new-cloud-security-tools-aim-to-reduce-alert-fatigue%2F&data \
=02%7C01%7Cjoseph.heaton%40wildlife.ca.gov%7C2bae9f2d310a4d59bb7608d69dcc58ba%7C4b633c \
25efbf40069f1507442ba7aa0b%7C0%7C0%7C636869898327254182&sdata=i3RfzLjciuoG67gqJbEg \
thIBUe%2FgtEUwUoSmY5Eh1h0%3D&reserved=0">https://www.zdnet.com/article/microsofts-new-cloud-security-tools-aim-to-reduce-alert-fatigue/</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The \
"ask a threat expert" service offering is in preview only and you can apply \
for the preview, will be a (as I understand it) a premier support contract \
offering.<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">But for those of us in the \
cheaper seats, even a single Windows E5/Microsoft 365 E5 gives you the ability to see \
ATP on one machine in action and the goodness of the Threat analytics information \
.... like the one below:<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If you think they are out \
to get you, trust me they really ARE out to get you:<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p> </o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Takeaways:<o:p></o:p></p> \
<h4 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:17.35pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:16.0pt;font-family:"&quot",serif;color:#333333">Mitigations
<o:p></o:p></span></h4>
<div style="margin-top:24.0pt;box-sizing: border-box">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
Apply these mitigations to reduce the impact of this threat. Check the \
recommendations card for the deployment status of monitored \
mitigations.<o:p></o:p></p> <ul type="disc">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 \
lfo1;box-sizing: border-box"> Use cloud authentication capabilities in Azure Active \
Directory, such as smart lockout and IP lockout to actively block authentication \
attacks, including password spraying attacks.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 \
lfo1;box-sizing: border-box"> Use multi-factor authentication to mitigate successful \
password-spraying attacks. Keep MFA always-on MFA for privileged accounts and apply \
risk-based MFA for normal accounts. Consider transitioning to a passwordless primary \
authentication method, such as Azure MFA, certificates, or Windows Hello for \
Business.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 \
lfo1;box-sizing: border-box"> Periodically review your Office 365 audit log for admin \
activity related to account management. In particular, look for unexpected users \
being added certain critical role groups, including the Exchange Organization \
Administrators or the Organization Management roles. <o:p></o:p></li><li \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 \
level1 lfo1;box-sizing: border-box"> Search the network for legacy on-premise \
Exchange Server or Active Directory Federation Services (ADFS) systems. To better \
protect such systems:<o:p></o:p></li></ul> <ul type="disc">
<ul type="circle">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level2 \
lfo1;box-sizing: border-box"> Block legacy authentication from the \
extranet.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level2 \
lfo1;box-sizing: border-box"> Enable ADFS Web Application Proxy Extranet \
Lockout.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level2 \
lfo1;box-sizing: border-box"> Deploy Azure AD Connect Health for ADFS for improved \
logging and monitoring.<o:p></o:p></li></ul> </ul>
</div>
<p><o:p> </o:p></p>
<p>==========================================<o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p> </o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p> </o:p></p>
<h2 style="margin:0in;margin-bottom:.0001pt;line-height:23.1pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe \
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif;orphans: 2;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:21.0pt;font-family:"&quot",serif;color:#333333;font-weight:normal">MailSniper \
Exchange attack tool <o:p></o:p></span></h2>
<h4 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:17.35pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:16.0pt;font-family:"&quot",serif;color:#333333">Executive \
summary <o:p></o:p></span></h4>
<div style="margin-top:24.0pt;box-sizing: border-box">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
Due to improved endpoint protection capabilities, defenders of properly instrumented \
networks are more and more likely to detect reconnaissance, privilege escalation, \
credential theft, and use of stolen credentials. In response, attackers are \
attempting to minimize their presence on endpoints and are collecting data from \
cloud services. Using a tool such as MailSniper, attackers can stealthily acquire \
privileged perimeter credentials and then gather sensitive data while reducing their \
risk of discovery.<o:p></o:p></p> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> MailSniper is a penetration testing tool freely available on GitHub \
under the GNU General Public License. It provides attackers with several capabilities \
for interacting with Microsoft Exchange, whether an on-premises Exchange Server or \
Exchange Online in Office 365, and perform reconnaissance, exfiltration, and \
credential theft. Depending on what attackers are able to discover, the information \
gained through these activities may be used to move laterally in the network or to \
access specific network resources directly.<o:p></o:p></p> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> This focus on accessing user data as well as cloud resources and their \
management tools deviates from traditional attack scenarios involving lateral \
movement and elevation of privilege. It highlights a blind spot in the monitoring \
strategy of many organizations, where education about the available logging \
capabilities and hardening might not have been a focus during the shift to cloud \
infrastructure. <o:p></o:p></p>
</div>
<h4 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:17.35pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:16.0pt;font-family:"&quot",serif;color:#333333">Analysis \
<o:p> </o:p></span></h4>
<div style="margin-top:24.0pt;box-sizing: border-box">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
When attackers breach a victim's network, many scenarios revolve around identifying \
and leveraging targets relevant to their goals, such as privileged user accounts, \
trust relationships, and repositorites of sensitive data. For example, if an attacker \
wishes to steal proprietary research from an engineering company, they might need \
to:<o:p></o:p></p> <ul type="disc">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 \
lfo2;box-sizing: border-box"> Locate where such information resides, such as network \
shares<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 \
lfo2;box-sizing: border-box"> Enumerate users with access to the \
information<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 \
lfo2;box-sizing: border-box"> Steal credentials that will enable \
access<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 \
lfo2;box-sizing: border-box"> Use the credentials to exfiltrate the \
information<o:p></o:p></li></ul> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> MailSniper's core functionality connects to Microsoft Exchange and \
enables searching within emails—attackers often search for keywords related to \
authentication, such as "pass*" and "creds". Additional capabilities in MailSniper \
modules lets attackers:<o:p></o:p></p> <ul type="disc">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 \
lfo3;box-sizing: border-box"> Collect user data from the Global Address List \
(GAL)<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 \
lfo3;box-sizing: border-box"> Collect lists of folders from specific \
mailboxes<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 \
lfo3;box-sizing: border-box"> Harvest valid domains and usernames from Outlook Web \
Access (OWA)<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 \
lfo3;box-sizing: border-box"> Harvest valid Active Directory usernames from Exchange \
Web Services (EWS)<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 \
lfo3;box-sizing: border-box"> Test access to specific mailboxes<o:p></o:p></li><li \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 \
level1 lfo3;box-sizing: border-box"> Mount password-spraying attacks against OWA and \
EWS portals<o:p></o:p></li></ul> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> <img border="0" width="679" height="386" \
style="width:7.0729in;height:4.0208in" id="_x0000_i1025" \
src="cid:image001.png@01D4CF7B.22EB9AE0"><o:p></o:p></p> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> To use MailSniper effectively, an attacker must first possess valid, \
plaintext credentials belonging to an Exchange user. An attacker can use MailSniper \
to mount password-spraying attacks—slow, measured attempts to use a few common, \
weak passwords across many accounts. This technique avoids triggering detection \
thresholds and account lockouts, and can be executed remotely.<o:p></o:p></p> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> For an attacker that already has access to a compromised computer, \
techniques that merely abuse authentication weaknesses, such as pass-the-hash or \
pass-the-ticket attacks, are not relevant. However, other techniques can furnish an \
attacker with valid credentials:<o:p></o:p></p> <ul type="disc">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 \
lfo4;box-sizing: border-box"> An attacker can use common penetration testing tools \
such as Mimikatz and PowerSploit to collect password hashes and Kerberos tickets from \
memory, followed by bruteforce attacks.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 \
lfo4;box-sizing: border-box"> As a stealthy alternative, tools such as SpiderLabs \
Responder can force a connection to a "rogue" SMB server by poisoning Link-Local \
Multicast Name Resolution (LLMNR) and NetBios Name Service (NBT-NS) responses, which \
may disclose credentials.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 \
lfo4;box-sizing: border-box"> Enabling the WDigest protocol, causing Windows to store \
plaintext credentials in memory.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 \
lfo4;box-sizing: border-box"> If the domain's password policy allows passwords to be \
stored using reversible encryption, attackers can check the publicly-accessible \
SYSVOL share on the domain controller for credentials, which can be decrypted with a \
publicly-known 32-bit AES key.<o:p></o:p></li></ul> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> Once valid credentials are obtained, an attacker may use MailSniper's \
<i>Invoke-SelfSearch</i> module to search the user's mailbox for emails containing \
cleartext credentials. These may then be used elsewhere as the attacker moves \
laterally throughout the network.<o:p></o:p></p> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> In order to search multiple mailboxes, the attacker must first gain \
access to a user account that belongs to an administrative role group in the Office \
365 tenant. Exchange Organization Administrators and Organization Management are some \
of the administrative role groups that exist by default, but tenant administrators \
can create arbitrary roles with the necessary rights.<o:p></o:p></p> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> To enumerate these roles, the attacker can use the \
<i>Get-ManagementRoleAssignment</i> cmdlet included in the Exchange PowerShell \
module, and then use the techniques described earlier to compromise the right \
credentials.<o:p></o:p></p> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> With management role credentials in hand, the attacker may use \
MailSniper's <i>Invoke-GlobalMailSearch</i> module to search for credentials across \
multiple mailboxes. <i>Invoke-GlobalMailSearch</i> grants the \
<i>ApplicationImpersonation</i> role to a user account, so it can access resources \
tied to another account without requiring credentials, effectively impersonating each \
user in turn.<o:p></o:p></p> </div>
<h4 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:17.35pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:16.0pt;font-family:"&quot",serif;color:#333333">Mitigations
<o:p></o:p></span></h4>
<div style="margin-top:24.0pt;box-sizing: border-box">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
Apply these mitigations to reduce the impact of this threat. Check the \
recommendations card for the deployment status of monitored \
mitigations.<o:p></o:p></p> <ul type="disc">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 \
lfo5;box-sizing: border-box"> Use cloud authentication capabilities in Azure Active \
Directory, such as smart lockout and IP lockout to actively block authentication \
attacks, including password spraying attacks.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 \
lfo5;box-sizing: border-box"> Use multi-factor authentication to mitigate successful \
password-spraying attacks. Keep MFA always-on MFA for privileged accounts and apply \
risk-based MFA for normal accounts. Consider transitioning to a passwordless primary \
authentication method, such as Azure MFA, certificates, or Windows Hello for \
Business.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 \
lfo5;box-sizing: border-box"> Periodically review your Office 365 audit log for admin \
activity related to account management. In particular, look for unexpected users \
being added certain critical role groups, including the Exchange Organization \
Administrators or the Organization Management roles. <o:p></o:p></li><li \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 \
level1 lfo5;box-sizing: border-box"> Search the network for legacy on-premise \
Exchange Server or Active Directory Federation Services (ADFS) systems. To better \
protect such systems:<o:p></o:p></li></ul> <ul type="disc">
<ul type="circle">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 \
lfo5;box-sizing: border-box"> Block legacy authentication from the \
extranet.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 \
lfo5;box-sizing: border-box"> Enable ADFS Web Application Proxy Extranet \
Lockout.<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 \
lfo5;box-sizing: border-box"> Deploy Azure AD Connect Health for ADFS for improved \
logging and monitoring.<o:p></o:p></li></ul> </ul>
</div>
<h4 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:17.35pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:16.0pt;font-family:"&quot",serif;color:#333333">Detection \
details <o:p></o:p></span></h4>
<div style="margin-top:24.0pt;box-sizing: border-box">
<h5 style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:11.5pt">
<span style="font-size:10.5pt;font-family:"&quot",serif;color:#333333;font-weight:normal">Endpoint \
detection and response (EDR)<o:p></o:p></span></h5> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> Alerts with the following titles in the Windows Defender Security Center \
portal can indicate active use of this tool on a machine in your \
network:<o:p></o:p></p> <ul type="disc">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 \
lfo6;box-sizing: border-box"> Global mail search on Exchange using \
MailSniper<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 \
lfo6;box-sizing: border-box"> Exchange mailbox or mail folder search using \
MailSniper<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 \
lfo6;box-sizing: border-box"> Enumeration of Active Directory usernames using \
MailSniper<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 \
lfo6;box-sizing: border-box"> Enumeration of the Exchange GAL using \
MailSniper<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 \
lfo6;box-sizing: border-box"> Access to Exchange inboxes using \
MailSniper<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 \
lfo6;box-sizing: border-box"> Password spraying using MailSniper<o:p></o:p></li><li \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 \
level1 lfo6;box-sizing: border-box"> Enumeration of domains and user accounts using \
MailSniper<o:p></o:p></li></ul> <h5 \
style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:11.5pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:10.5pt;font-family:"&quot",serif;color:#333333;font-weight:normal">Advanced \
hunting<o:p></o:p></span></h5> <p \
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> To locate possible exploitation activity, run the following \
query:<o:p></o:p></p> <div style="mso-element:para-border-div;border:solid #CCCCCC \
1.0pt;padding:7.0pt 7.0pt 7.0pt 7.0pt"> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in;background-clip: \
border-box;background-origin: padding-box;background-position-x: \
0px;background-position-y: 0px;background-size: auto;border-bottom-left-radius: \
4px;border-bottom-right-radius: 4px;border-image-outset: 0;border-image-repeat: \
stretch;border-image-slice: 100%;border-image-source: none;border-image-width: \
1;border-top-left-radius: 4px;border-top-right-radius: 4px;box-sizing: \
border-box;display:inline-block;Courier New"monospace;min-width: \
500px;word-wrap: break-word;background-attachment:scroll;overflow:auto"><span \
style="font-family:Consolas;color:#333333">let dateRange = \
ago(10d);<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">//<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">let whoamiProcess = \
ProcessCreationEvents<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where ProcessCreationTime >= \
dateRange<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where FileName =~ 'whoami.exe' and \
InitiatingProcessParentFileName =~ 'powershell.exe'<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| project MachineId, whoamiTime = \
ProcessCreationTime, whoamiProcessName = FileName, <o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">whoamiParentName = \
InitiatingProcessParentFileName, whoamiParentPID = \
InitiatingProcessParentId;<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">//<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">let netProcess = ProcessCreationEvents \
<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where ProcessCreationTime >= \
dateRange<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where FileName =~ 'net.exe' and \
InitiatingProcessParentFileName =~ 'powershell.exe'<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| project MachineId, netTime = \
ProcessCreationTime, ProcessCreationTime = FileName, <o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">netParentName = \
InitiatingProcessParentFileName, netParentPID = \
InitiatingProcessParentId;<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">//<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">let mailServerEvents = \
NetworkCommunicationEvents<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where EventTime >= \
dateRange<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where InitiatingProcessFileName =~ \
'powershell.exe'<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where RemoteUrl contains \
'onmicrosoft.com'<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">or RemoteUrl contains \
'outlook.com'<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| project MachineId, mailTime = EventTime, \
mailProcessName = InitiatingProcessFileName, <o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">mailPID = \
InitiatingProcessId;<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">//<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">mailServerEvents<o:p></o:p></span></pre> \
<pre style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| join netProcess on MachineId \
<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where netParentPID == mailPID and \
netParentName == mailProcessName <o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| join whoamiProcess on MachineId \
<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where whoamiParentPID == mailPID and \
whoamiParentName == mailProcessName <o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where netTime < mailTime + 4h and \
netTime > mailTime - 4h<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| where whoamiTime < mailTime + 4h \
and whoamiTime > mailTime - 4h<o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">| project MachineId, EstimatedIncidentTime \
= mailTime, ProcessName = mailProcessName, <o:p></o:p></span></pre> <pre \
style="margin-bottom:7.5pt;line-height:13.95pt;word-break:break-all;border:none;padding:0in"><span \
style="font-family:Consolas;color:#333333">ProcessID = \
mailPID<o:p></o:p></span></pre> </div>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;box-sizing: \
border-box"> The provided query checks events from the past ten days. Change \
<i>dateRange</i> to focus on a different period.<o:p></o:p></p> </div>
<h4 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:17.35pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:16.0pt;font-family:"&quot",serif;color:#333333">References
<o:p></o:p></span></h4>
<div style="margin-top:24.0pt;box-sizing: border-box">
<ul type="disc">
<li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo7"> \
<a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2 \
Fdafthack%2FMailSniper&data=02%7C01%7Cjoseph.heaton%40wildlife.ca.gov%7C2bae9f2d31 \
0a4d59bb7608d69dcc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0%7C636869898327264191&sdata=mEJj3oulRnCtRKVdMrlZ9r1ftu2Bs7FOt4l0fykalcE%3D&reserved=0" \
target="_blank"><span \
style="color:#0078D4;text-decoration:none">MailSniper</span></a>. DaftHack on Github \
(accessed 2019-02-20)<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 \
lfo7;box-sizing: border-box"> <a \
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft. \
com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Frole-based-access-control%2Fget-managem \
entrole%3Fview%3Dexchange-ps&data=02%7C01%7Cjoseph.heaton%40wildlife.ca.gov%7C2bae \
9f2d310a4d59bb7608d69dcc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0%7C636869898327 \
264191&sdata=lQ9NisLBG3UPdIcwXtE5QU8H32D5JTN8DHVZamolG%2Fs%3D&reserved=0" \
target="_blank"><span \
style="color:#0078D4;text-decoration:none">Get-ManagementRole</span></a>. Microsoft \
(2019-02-21)<o:p></o:p></li><li class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 \
lfo7;box-sizing: border-box"> <a \
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.c \
om%2Fen-us%2Fmicrosoft-365%2Fblog%2F2018%2F03%2F05%2Fazure-ad-and-adfs-best-practices- \
defending-against-password-spray-attacks%2F&data=02%7C01%7Cjoseph.heaton%40wildlif \
e.ca.gov%7C2bae9f2d310a4d59bb7608d69dcc58ba%7C4b633c25efbf40069f1507442ba7aa0b%7C0%7C0 \
%7C636869898327274205&sdata=R%2FQ9x%2FEpvrfFi7vusNsgFQ4C0NvE%2F%2BQWzu39aXxOet0%3D&reserved=0" \
target="_blank"><span style="color:#0078D4;text-decoration:none">Azure AD and ADFS \
best practices: Defending against password spray attacks</span></a>. Microsoft \
(2019-02-21)<o:p></o:p></li></ul> </div>
<h4 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:17.35pt;box-sizing: \
border-box;Segoe UI Web (West European)"Segoe
UI,-apple-system,BlinkMacSystemFont,Roboto,Helvetica
Neue,sans-serif">
<span style="font-size:16.0pt;font-family:"&quot",serif;color:#333333">Change \
log <o:p></o:p></span></h4>
<div style="margin-top:24.0pt;box-sizing: border-box">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
2019-02-23 05:00 UTC | Entry created<o:p></o:p></p>
</div>
</div>
</body>
</html>
["image001.png" (image/png)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic