Introducing Rich Reporting and Troubleshooting for Microsoft Playwright Testing

by Contributed | May 23, 2024 | Technology

This article is contributed. See the original author and article here.

Today, we’re excited to introduce rich reporting and easy troubleshooting for the Microsoft Playwright Testing service!

Microsoft Playwright Testing is a managed service built for running Playwright tests easily at scale. Playwright is a fast-growing, open-source framework that enables reliable end-to-end testing and automation for modern web apps. You can read more about the service here.

Now, with this new Reporting feature users can publish test results and related artifacts and view them in the service portal for faster and easier troubleshooting.

Quickly Identify Failed and Flaky Tests

In the fast-paced world of web development, applications evolve rapidly, constantly reshaping user experiences. To keep up, testing needs to be just as swift. Playwright automates end-to-end tests and delivers essential reports for troubleshooting. The Reporting feature provides a streamlined dashboard that highlights failed and flaky tests, enabling you to identify and address issues quickly. This focused view helps maintain application quality while supporting rapid iteration.

Screenshot of test results filtered by failed and flaky tests

Troubleshoot Tests Easily using rich artifacts

As test suites grow and the frequency of test execution increases, managing generated artifacts becomes challenging. These artifacts are crucial for debugging failed tests and demonstrating quality signals for feature deployment, but they are often scattered across various sources.

The Reporting feature consolidates results and artifacts, such as screenshots, videos, and traces, into a unified web dashboard, simplifying the troubleshooting process. The Trace Viewer, a tool offered by Playwright, that helps you explore traces and allows you to navigate through each action of your test and visually observe what occurred during each step. It is hosted in the service portal with the test for which it is collected, eliminating the need to store and locate it separately for troubleshooting.

Screenshot of trace viewer hosted in the service portal

Seamless Integration with CI Pipelines

Continuous testing is essential for maintaining application quality, but collecting and maintaining execution reports and artifacts can be challenging. Microsoft Playwright Testing service can be easily configured to collect results and artifacts in CI pipelines. It also captures details about the CI agent running the tests and presents them in the service portal with the test run. This integration facilitates a smooth transition from the test results to the code repository where tests are written. Users can also access the history of test runs in the portal and gain valuable insights, leading to faster troubleshooting and reduced developer workload.

Screenshot of test result with CI information

Join the Private Preview

For current Playwright users, adding the Reporting feature with your existing setup is easy. It integrates with the Playwright test suite, requiring no changes to the existing test code. All you need to do is install a package that extends the Playwright open-source package, add it to your configuration, and you’re ready to go. This feature operates independently of the service’s cloud-hosted browsers, so you can use it without utilizing service-managed browsers.

We invite teams interested in enhancing their end-to-end testing to join the private preview of the Reporting feature. This feature is available at no additional charge during the private preview period. However, usage of the cloud-hosted browsers feature will be billed according to Azure pricing.

Your feedback is invaluable for refining and enhancing this feature. By joining the private preview, you gain early access and direct communication with the product team, allowing you to share your experiences and help shape the future of the product.

Interested in trying out the reporting feature and giving us feedback? Sign up here.

Check out Microsoft Playwright Testing service here. If you are new to Microsoft Playwright Testing service, learn more about it.

Microsoft Copilot in Azure – Unlock the benefits of Azure Database for MySQL with your AI companion

by Contributed | May 22, 2024 | Technology

This article is contributed. See the original author and article here.

Microsoft Copilot in Azure (Public Preview) is an AI-powered tool to help you do more with Azure. Copilot in Azure extends capabilities to Azure Database for MySQL, allowing users to gain new insights, unlock untapped Azure functionality, and troubleshoot with ease. Copilot in Azure leverages Large Language Models (LLMs) and the Azure control plane, all of this is carried out within the framework of Azure’s steadfast commitment to safeguarding the customer’s data security and privacy.

The experience now supports adding Azure Database for MySQL self- help skills into Copilot in Azure, empowering you with self-guided assistance and the ability to solve issues independently. 

You can access Copilot in Azure right from the top menu bar in the Azure portal. Throughout a conversation, Copilot in Azure answers questions, suggests follow-up prompts, and makes high-quality recommendations, all while respecting your organization’s policy and privacy.

For a short demo of this new capability, watch the following video!

Discover new Azure Database for MySQL features with Microsoft Copilot in Azure

Explore when to enable new features to supplement real-life scenarios

Learn from summarized tutorials to enable features on-the-go

Troubleshoot your Azure Database for MySQL issues and get expert tips

To enable access to Microsoft Copilot in Azure for your organization, complete the registration form. You only need to complete the application process one time per tenant. Check with your administrator if you have questions about joining the preview.

For more information about the preview, see Limited access. Also be sure to review our Responsible AI FAQ for Microsoft Copilot in Azure.

Thank you!

Announcing public preview of Bicep templates support for Microsoft Graph

by Contributed | May 20, 2024 | Technology

This article is contributed. See the original author and article here.

v:* {behavior:url(#default#VML);}
o:* {behavior:url(#default#VML);}
w:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}

Dan Kershaw
Normal
Dan Kershaw
3
6436
2024-05-15T17:40:00Z
2024-05-15T17:43:00Z
1
786
4484
37
10
5260
16.00

Clean
Clean

false

false
false
false

EN-GB
X-NONE
X-NONE

We’re thrilled to announce that Bicep templates for Microsoft Graph resources will be in public preview starting May 21^st. Bicep templates bring declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.

Bicep templates for Microsoft Graph resources allow you to define the tenant infrastructure you want to deploy, such as groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses declarative syntax to deploy resources typically used in DevOps and infrastructure-as-code solutions.

What problems does this solve?

Azure Resource Manager or Bicep templates allow you to declare Microsoft Azure resources in files and deploy those resources into your infrastructure. Configuring and managing your Azure services and infrastructure often includes managing Microsoft Entra ID resources, like applications and groups. Until now, you had to orchestrate your deployments between two mechanisms using ARM or Bicep template files for Azure resources and Microsoft Graph PowerShell for Microsoft Entra ID resources.

Now, with the Microsoft Graph Bicep release, you can declare the Microsoft Entra ID resources in the same Bicep files as your Azure resources, making configurations easier to define, and deployments more reliable and repeatable.

Let’s look at how this works and then we’ll run through an example.

The Microsoft Graph Bicep extension

To provide support for Bicep templates for Microsoft Graph resources, we have released the new Microsoft Graph Bicep extension that allows you to author, deploy, and manage supported Microsoft Graph resources (initially Microsoft Entra ID resources) in Bicep template files either on their own, or alongside Azure resources.

Authoring experience

You get the same first-class authoring experience of the Bicep Extension for VS Code when you use it to create your Microsoft Graph resource types in Bicep files. The editor provides rich type-safety, IntelliSense, and syntax validation.

Editing a Bicep file containing Microsoft Graph resources

You can also create Bicep files in Visual Studio with the Bicep extension for Visual Studio.

Deploying Bicep files

Once you have authored your Bicep file, you can deploy it using familiar tools such as Azure PowerShell and Azure CLI. When the deployment request is made to the Azure Resource Manager the deployments engine orchestrates the deployment of interdependent resources so they’re created in the correct order, including the Microsoft Graph resources.

The following image shows a Bicep template file where the Microsoft Graph group creation is dependent on the managed identity resource, as it is being added as a group member. The deployments engine first sends the managed identity request to the Resource Manager, which routes it to the Microsoft.ManagedIdentity resource provider. Next, the deployments engine sees that Microsoft.Graph/groups is an extensible resource, so it knows to route this resource request to the Microsoft Graph Bicep extension. The Microsoft Graph Bicep extension then translates the groups resource request into a request to Microsoft Graph.

Deploying a Bicep file containing Microsoft Graph resources

Scenario: Using managed identities with security groups and app roles

Managed identities can be assigned to security groups and Microsoft Entra ID app roles as an authorization strategy. Using security groups can simplify management by reducing the number of role assignments.

Using a Microsoft Entra ID group to assigned roles to managed identities

However, this configuration isn’t possible using a Bicep or Resource Manager template. With Microsoft Graph Bicep extension, this limitation is removed. Rather than assigning and managing multiple Microsoft Azure role assignments, role assignments can be managed via a security group through a single Bicep file.

Bicep file declaring an Microsoft Entra ID group with a managed identity member
In the example above, a security group can be created and referenced, whose members can be managed identities. With Bicep templates for Microsoft Graph resources, declaring Microsoft Graph and Microsoft Azure resources together in the same Bicep files, enables new and simplifies existing deployment scenarios, bringing reliable and repeatable deployments.

Learn more

• Bicep templates for Microsoft Graph resources documentation


• Try out the create and deploy your first Bicep file with Microsoft Graph resources quickstart

A BlackByte Ransomware intrusion case study

by Contributed | May 18, 2024 | Technology

This article is contributed. See the original author and article here.

Introduction 

As ransomware attacks grow in number and sophistication every year, threat actors can quickly impact business operations if organizations are not well prepared. In this blog, we detail an investigation into a ransomware event. During this intrusion the threat actor progressed through the full attack chain, from initial access through to impact, in less than five days, causing significant business disruption for the victim organization.  

During the investigation, the Microsoft Incident Response team (formerly known as DART) identified the threat actor employing a range of tools & techniques to achieve their objectives, including:  

• Exploitation of unpatched internet exposed Microsoft Exchange Servers 


• Web Shell deployment facilitating remote access 


• Use of living of the land tools for persistence and reconnaissance 


• Cobalt Strike beacons for command and control 


• Process Hollowing and the use of vulnerable drivers for defense evasion 


• Deployment of custom developed backdoors to facilitate persistence 


• Deployment of a custom developed data collection and exfiltration tool 

Forensic analysis

Initial Access 

In order to obtain initial access into the victim’s environment, the Threat Actor was observed exploiting known vulnerabilities (ProxyShell) on unpatched Microsoft Exchange Servers: 

• CVE-2021-34473  


• CVE-2021-34523 


• CVE-2021-31207 

The exploitation of these vulnerabilities allowed the Threat Actor to: 

• Attain SYSTEM level privileges on the compromised Exchange host  


• Enumerate LegacyDN of users by sending an Autodiscover requests, including SIDs of users 


• Construct a valid authentication token and use it against the Exchange Powershell backend 


• Impersonate domain admin users and creates a web shell by using the New-MailboxExportRequest cmdlet 


• Create web shells in order to obtain remote control on the affected servers

The Threat Actor was observed operating from the following IP to exploit ProxyShell and access the web shell: 

• 185.225.73[.]244 

Persistence 

Backdoor 

Microsoft IR identified the creation of Registry Run Keys, a common persistence mechanism employed by threat actors to maintain access to a compromised device, where a payload is executed each time a specific user logs in. 

api-msvc.dll, detected by Microsoft Defender Antivirus as Trojan:Win32/Kovter!MSR, was determined to be a backdoor capable of collecting system information such as installed antivirus products, device name and IP address. This information is then sent via HTTP POST request to a command and control (C2) channel: 

• hxxps://myvisit[.]alteksecurity[.]org/t 

Unfortunately, the organization was not using Microsoft Defender as the primary AV/EDR solution, preventing to take action against the malicious code.

An additional file name, api-system.png, was identified with similarities to api-msvc.dll.  This file behaved like a DLL, had the same default export function, and also leveraged Run Keys for persistence.  

Cobalt Strike Beacon 

The threat actor leveraged Cobalt Strike, a common commercial penetration testing tool, to achieve persistence.  The file sys.exe, detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike beacon and was downloaded directly from the file sharing service temp.sh: 

• hxxps://temp[.]sh/szAyn/sys.exe 

This beacon was configured to communicate with the following command and control (C2) channel: 

• 109.206.243[.]59:443 

AnyDesk 

Microsoft IR frequently observes threat actors leveraging legitimate remote access during an intrusion, in an effort to blend in on a victim network. In this case, the threat actor utilized AnyDesk, a common remote administration tool to maintain persistence and move laterally within the network. AnyDesk was installed as a Service and was executed from the following paths: 

• C:systemtestanydeskAnyDesk.exe 


• C:Program Files (x86)AnyDeskAnyDesk.exe


• C:ScriptsAnyDesk.exe 

Successful connections were observed in AnyDesk Logs (ad_svc.trace) involving anonymizer service IP addresses linked to TOR and MULLVAD VPN. This is a common technique that actors employ to obscure their source IP ranges.  

Reconnaissance and Privilege Escalation 

Microsoft IR found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration, under the following executable names: 

• netscan.exe 


• netapp.exe 

In addition, execution of AdFind, an Active Directory reconnaissance tool, was observed in the environment.  

Credential Access 

Evidence of likely Mimikatz usage, a credential theft tool commonly used by threat actors, was also uncovered, through the presence of a related log file mimikatz.log. 

Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.  

Lateral Movement 

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol and Powershell Remoting to obtain access to other servers in the environment, including Domain Controllers. 

Data Staging and Data Exfiltration 

A suspicious file named “explorer.exe” was identified. The file was recognized by Microsoft Defender Antivirus as “Trojan:Win64/WinGoObfusc.LK!MT” and quarantined, but after disabling Windows Defender Antivirus service, the threat actor was able to execute the file using the following command: 

• explorer.exe P@$$w0rd 

Explorer.exe was reverse engineered by Microsoft IR and determined to be ExByte, a GoLang based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. 

The binary is capable of enumerating files of interest across the network, and upon execution creates a log file containing a list of files and associated metadata.  

Multiple log files were uncovered during the investigation in the path:  

• C:ExchangeMSExchLog.log 

Analysis of the binary revealed a list of file extensions which are targeted for enumeration. 

Binary analysis showing file extensions enumerated by explorer.exe 

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials which ExByte leveraged to authenticate to the popular file sharing platform Mega NZ, via it’s API at: 

• hxxps://g.api.mega.co[.]nz 

Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ 

Microsoft IR also determined that this tool was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address. 

Execution Flow 

Upon execution ExByte decodes several strings and checks if the process is running with privileged access by reading .PHYSICALDRIVE0: 

• If this check fails, ShellExecuteW is invoked with IpOperation parameter RunAs which runs explorer.exe with elevated privilege. 

After this access check, explorer.exe attempts to read data.txt file in the current location: 

• If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory: 

C:Windowssystem32cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del explorer.exe /F /Q 

• If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function and then decrypts the data using the key provided in the command-line. The decrypted data is then parsed as JSON below and fed for login function: 

{ 

“a”:”us0”, 

“user”:”” 

} 

Finally, it then forms an URL for login to the API of file sharing service MEGA NZ: 

• hxxps://g.api.mega.co[.]nz/cs?id=1674017543 

Data Encryption and Destruction 

MICROSOFT IR found several devices where files had been encrypted and identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names: 

• wEFT.exe 


• schillerized.exe 

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. This binary requires an 8-digit key number to encrypt files. 

Two modes of execution were identified: 

• When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on 


• When the -a parameter is provided, the ransomware conducts enumeration and uses an UPX packed version of PsExec to deploy across the network. 

• Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network. 

Depending on the switch (-s or -a), execution may create below files: 

• C:SystemDataM8yl89s7.exe (Random Name – UPX Packed PsExec) 


• C:SystemDatawEFT.exe (Additional BlackByte binary) 


• C:SystemDataMsExchangeLog1.log (Log file)


• C:SystemDatarENEgOtiAtES


• A Vulnerable (CVE-2019-16098) driver RtCore64.sys, used to evade detection by installed AV/EDR software


• C:SystemDataiHu6c4.ico (Random Name – BlackBytes icon)


• C:SystemDataBB_Readme_file.txt (BlackByte ReadMe File)


• C:SystemDataskip_bypass.txt (Unknown) 

Some capabilities identified for the BlackByte 2.0 ransomware were: 

AV/EDR Bypass: 

• The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read/write to arbitrary memory. 


• The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed AV/EDR software. 

Process Hollowing 

• Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command: 

• cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q 

Modification / Disabling of Windows Firewall 

• The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely: 

• cmd /c netsh advfirewall set allprofiles state off 


• cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes 


• cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes 

Modification of Volume Shadow Copies 

• The following commands are executed to destroy volume shadow copies on the machine: 

• cmd /c vssadmin Resize ShadowStorge /For=B: /On=B: /MaxSuze=401MB 


• cmd /c vssadmin Resize ShadowStorage /For=B: /On=B: /MaxSize=UNBOUNDED 

Modification of Registry Keys/Values 

• The following commands are executed to modify the registry, facilitating elecated execution on the device: 

• cmd /c reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f 

• cmd /c reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLinkedConnections /t REG_DWORD /d 1 /f 


• cmd /c reg add HKLMSYSTEMCurrentControlSetControlFileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f 

Additional Functionality 

• Ability to terminate running services and processes. 


• Ability to enumerate and mount volumes and network shares for encryption. 

• Perform anti-forensics technique time-stomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00) 


• Ability to perform anti-debugging techniques.

Recommendations

To guard against BlackByte ransomware attacks, Microsoft IR recommends the following:  

• Ensure that you have a patch management process in place and that patching for internet exposed devices is prioritized.  

• Implement an EDR solution like Microsoft Defender for Endpoint to gain visibility of malicious activity in real time across your network 


• Ensure antivirus signatures are updated regularly and that your AV solution is configured to block threats 


• Block inbound traffic from Ips specified in the Indicators of Compromise table 


• Block inbound traffic from TOR Exit Nodes 


• Block inbound access from unauthorized public VPN services 

• Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled 


• Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools 

Indicators of compromise (IOC)

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. 

NOTE: These indicators should not be considered exhaustive for this observed activity. 

Detections

Microsoft 365 Defender 

Microsoft Defender Antivirus 

• Trojan:Win32/Kovter!MSR 


• Trojan:Win64/WinGoObfusc.LK!MT


• Trojan:Win64/BlackByte!MSR


• HackTool:Win32/AdFind!MSR


• Trojan:Win64/CobaltStrike!MSR

Microsoft Defender for Endpoint 

Microsoft Defender for Endpoint customers should watch for these alerts that can detect behavior observed in this campaign. Note however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report.

• ‘CVE-2021-31207’ exploit malware was detected 


• An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing. 


• Suspicious registry modification. 


• ‘Rtcore64’ hacktool was detected 


• Possible ongoing hands-on-keyboard activity (Cobalt Strike) 


• A file or network connection related to a ransomware-linked emerging threat activity group detected 


• Suspicious sequence of exploration activities 


• A process was injected with potentially malicious code 


• Suspicious behavior by cmd.exe was observed 


• ‘Blackbyte’ ransomware was detected 

Microsoft Defender Vulnerability Management 

Microsoft Defender Vulnerability Management surfaces impacted devices that may be affected by the Exchange (ProxyShell) and drivers vulnerabilities used in the attack: 

• CVE-2021-34473 


• CVE-2021-34523 


• CVE-2021-31207 


• CVE-2019-16098 

Advanced hunting queries

Microsoft 365 Defender and Microsoft Sentinel

ProxyShell Web Shell Creation Events 

DeviceProcessEvents 

| where ProcessCommandLine has_any (“ExcludeDumpster”,”New-ExchangeCertificate”) and ProcessCommandLine has_any ((“-RequestFile”,”-FilePath”) 

Suspicious Vssadmin Events 

DeviceProcessEvents 

| where ProcessCommandLine has_any (“vssadmin”,”vssadmin.exe”) and ProcessCommandLine has “Resize ShadowStorage” and ProcessCommandLine has_any (“MaxSize=401MB”,” MaxSize=UNBOUNDED”) 

Conclusions

BlackByte Ransomware attacks are still targeting organizations having infrastructure with old unpatched vulnerabilities, allowing them to accomplish their objectives with a minimum effort.  According to Shodan, at the time this blog was written, there are nearly 3300 public facing servers still affected to ProxyShell vulnerabilities, making this an easy target for threat actors looking to impact organizations around the world. 

As Microsoft shows in the Microsoft Digital Defense Report, key practices like “Keep up to date” in conjunction to other good practices mentioned from a basic security hygiene strategy, could protect against 98 percent of attacks. 

As new tools are being developed by threat actors, a modern threat protection solution M365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms.  

Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents. 

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR. 

Appendix

Encryption 

Different file extensions are targeted by BlackByte binary for Encryption: 

File extensions targeted by BlackByte binary for encryption 

Also, the following Shared Folders are targeted to encrypt: 

Example: IP_AddressDownloads 

Extensions ignored: 

Folders ignored: 

Files ignored: 

Process terminated by BlackByte binary 

Services terminated by BlackByte binary  

EDR/AV drivers Blackbyte can bypass