During the first open-source SimuLand event last month security teams could create test attacks patterns, deploy lab environments, and see how Microsoft security platforms work against threats. Throughout the experiments, researchers took telemetry data to enhance understanding of attacks. Microsoft is now releasing a public dataset covering that telemetry data. Specifically, from the first simulation looking at how threat actors could steal the Azure Directory Federated Services (ADFS) token-signing certificate from an ADFS server stored on-premises. They could then leverage the ADFS to sign a Security Assertion Markup Language (SAML) token to access Microsoft Graph API. Several security events were monitored during the simulation, which are now available in the new dataset. Microsoft details these events in an image (above).
Improving Detection and Protection
All logs gathered during the simulation were from Microsoft 365 Defender Advanced hunting API and Azure Log Analytics workspace API. Microsoft points out making the dataset public gives security researchers more tools to combat risks, including improving detection in the following ways:
“Expedite the development and validation of detection rules. Identify and validate a chain of events to model adversary behavior. Facilitate labeled and unlabeled data for initial research and feature development. Automate simulation exercises by injecting pre-recorded events into data pipelines. Complement training material and expedite the creation of data analysis use cases. Expedite the creation of internal or community events, such as capture-the-flag or hackathons, where the data is used to create challenges and encourage collaboration.”
You can read more about the SimuLand initiative on Microsoft’s official GitHub here. Tip of the day: File History is a Windows 10 back up feature that saves each version of files in the Documents, Pictures, Videos, Desktop, and Offline OneDrive folders. Though its name implies a primary focus on version control, you can actually use it as a fully-fledged backup tool for your important documents.