Continuing on from my last post that captured using Defender for Cloud to gain powerful additional features on top of defender for endpoint to protect your endpoints we are going to take a closer look at Defender for Endpoint itself and extend into some endpoint-specific use cases for Defender for Identity that tie directly back into Defender for Endpoint.
Firstly a really important consideration when configuring Defender for Endpoint is that alot of the heavy lifting from a prevention standpoint actually happens in Defender Anti virus. This means that while im going to briefly cover some settings to make sure Defender Anti Virus isnt hindering Defender for Endpoint im going to reserve further Defender Anti Virus controls to the next part in this series.
This also of course means that when your doing your own testing just installing the MSSense agent (What you get from the scripts, intune etc) is actually not Defender for Endpoint in its totality so you simply can not make the assertation that the technology did or did not perform in a certain way with the agent alone. That’s even ignoring all the fancy stuff im covering.
Portal
As most people using Defender for Endpoint will start at the portal (security.microsoft.com) I’m going to cover what you should configure there first. These features are super simple and as long as you have Office 365 E5 and Defender for Identity you can basically one-click enable them from Settings > Endpoint > Advanced Features.
EDR in block mode
This setting allows the cloud-delivered portion of Defender for Endpoint to send metadata to the Defender Anti Virus antimalware engine to block further detections, technically you dont need this if your using Defender Anti Virus in Active mode (we will be) but it doesnt cost anything to keep on.
Allow or Block file
This allows operators of the portal to identify PE files within a device timeline and block it from executing in the future, once enabled you can also leverage this feature via any given file page.
Custom network indicators
This feature much like the aforementioned one allows operators of the portal to define IP addresses, domains and URLs to block, behind the scenes, SmartScreen does much of the heavy lifting.
Tamper Protection
Enabling this via the portal prevents the configuration of Sense and Defender Anti Virus from being changed in any regard.
If you have the ability to utilize intune for this option, then do so as it grants a so-called "enhanced" tamper protection whereby with the "Configuration/DisableLocalAdminMerge "configuration item enabled, an adversary will be unable to manipulate Defender Antivirus to a much greater degree.
Show user details
This adds further context to data and alert kept in Defender 365 allowing analysts to correlate behaviour to actual humans much more closely.
Office 365 Threat Intelligence connection
This setting allows Defender for Endpoint to build kill chains across from a given mailbox to an asset, making it much easier to hunt for further adversary procedures during an active compromise
Web Content Filtering
This feature mainly uses smart screen and can catch attempts being made to bad domains. Importantly make sure you have ran the following on your assets:
Set-MpPreference -EnableNetworkProtection Enabled
Live Response on Servers
This gives console access to servers we have onboarded into the platform
Live response unsigned script execution
This setting is going to be the coolest in this part of the series as we are going to use to achieve the following:
Execute and collect KAPE
Deploy Velociraptor
Deploy and execute Thor Cloud
Retrieve files and submit to Virus Total
Endpoint Settings
As a large portion of Defender for Endpoints ability to protect assets is from Defender Anti Virus and other telemetry it can capture from the operating system there are some mandatory audit settings you need to configure.
Extra Telemetry
Defender for Endpoint requires certain audit policies to be configured to capture as much data as possible. These are captured below
Ensure audit policies are properly configured
Summary: Defender for endpoint utilizes the event log on an asset to enrich its telemetry sources. This means that certain audit policies need to be enabled and enforced so that the proper eventIDs are generated.
While the Sense agent does attempt to set these configuration items it self any audit policy configured will immediately overwrite these settings.Scope: Windows Operating System (any)Actions: Create an group policy with the below configuration and ensure it is enforced across all devices in scope.
Info: The script https://github.com/olafhartong/MDE-AuditCheck can be used to confirm the audit policy is properly implemented.
Enable Real time Protection in Defender Antivirus
Summary: Real time protection allows Defender to actively monitor numerous machine components for threats and take action if something malicious is detected. Real time protection is a core component of Defender for endpoint and must be enabled for it to function properly.
Scope: Windows 7 and Up, Windows Server 2012 R2 and Up
Actions:
Endpoint Manager: Navigate to Endpoint Manager Security centre > Endpoint Security > Antivirus and create a Defender for Antivirus policy. Configure "Turn on real-time protection" to "Yes".
Group Policy: Open Group Policy Management Console > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real time Protection. Configure "Turn off real-time protection" to "Disabled"
Warning: Devices that have other anti virus products installed in the past automatically disable real time protection. Extra consideration is needed to ensure it is turned back on.
Enable Cloud-Delivered Protection
Summary: Cloud-Delivered Protection enables features such as ASR rules, cloud sample submission and tamper protection enforcement and as such is critical to the deployment of Defender for Endpoint.
Scope: Windows 7 and Up, Windows Server 2012 R2 and Up
Intune: Navigate to Endpoint Manager admin centre > Device Configuration > Profiles > Select a profile type or create a new one > Properties > Configuration settings: Edit > Microsoft Defender Antivirus. Configure "Cloud Delivered Protection" to "Enable" and "Prompt users before sample submission" to "Send all data automatically". Endpoint Manager: Navigate to Endpoint Manager Security centre > Endpoint Security > Antivirus > select or create a Defender for Antivirus policy > Properties > Configuration Settings > Edit. Configure "Turn on cloud-delivered protection" to "Yes", "Cloud –delivered protection level" to "High" and "Defender Cloud Extended Timeout in Seconds" to "50".
Group Policy: Open Group Policy Management Console > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS. Configure "Join Microsoft MAPS" to "Advanced MAPS" and "Send file samples when further analysis is required" to "Enabled" and "Send all samples".
Enable Windows Defender Application Control
Summary: Defender Application Control can be used to enrich telemetry collected by Defender for Endpoint. Defender Application Control has wider uses that are valuable to explore but for the purposes of Defender for Endpoint the policies can remain in audit mode.
Scope: Windows 10 and above, Windows Server 2016 and above
Action:
Group Policy: Open Group Policy Management Console > Computer Configuration > Administrative Templates > System > Device Guard. Configure "Deploy Windows Defender Application Control" to "Enabled" and "WDAC policy deployment path" to the UNC path of your policy.
Info: It is recommended that currently used drivers are whitelisted and then a blacklist placed for all other instances, this will protect the organisation for bring your own driver techniques. The following script will enable accurate at-scale deployment https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig
Enable Attack Surface Reduction Rules
Summary: Attack surface reduction rules prevent certain behaviours on devices to narrow the available attacks a malicious actor has. These rules are tracked in Defender for Endpoint and are highly valuable for both preventing attacks and detecting them.
Scope: Windows 10 and Up, Windows Server 2012 R2 and Up
Action:
Intune: Navigate to Endpoint Manager admin centre > Device Configuration > Profiles > Select or Create an Endpoint Protection profile > Windows Defender Exploit Guard > Attack Surface Reduction. Configure all available ASR rules to "Audit Mode".
Group Policy: Group Policy Management Console > Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Configure Attack surface reduction rules. Enter the Below GUIDs and Values:
Once the rules on the previous page are implemented you can review the results of the ASR rules in audit mode by going to security.microsoft.com, clicking reports > Attack surface reduction rules. It can take 4+ hours before results start to appear. Once you have reviewed the results you can then go back to the policy at endpoint.microsoft.com and add any exceptions you require. Once you have implemented and reviewed the ASR rules you can begin setting them to 'Block' mode. It is highly recommended you utilize several testing rings before the deployment of ASR rules in 'Block' mode. Use the diagram below to identify rules that are most likely to generate issues.
Cloud Protection
Enable Automated Investigations
Summary: Automated investigations utilize inspection algorithms to further evaluate detected suspicious activity and then perform remediation actions without the need for a human analyst. Automated Investigations are capable of spanning multiple assets and are valuable feature. Action: Navigate to Microsoft 365 Defender > Settings > Endpoints > Advanced Features. Enable "Automated Investigations"
Enable Live Response
Summary: Live response enables analysts to perform deeper investigations during incident triage. Often analysts use live response to gather 'point in time' information about artefacts related to an alert. Live response is limited to the following actions:
Run basic and advanced commands to do investigative work on a device.
Download files such as malware samples and outcomes of PowerShell scripts.
Download files in the background.
Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
Take or undo remediation actions.
Action: Navigate to Microsoft 365 Defender > Settings > Endpoints > Advanced Features. Enable "Live Response", "Live Response for Servers"
Disable Automatically Resolve Alerts
Summary: The Automatically Resolve Alerts option allows automated investigations to close alerts if no threat is found or all malicious artefacts were successfully remediated. While automated investigations are valuable they are not perfect and the results of such investigations should still be reviewed by a human analyst.
Action: Navigate to Microsoft 365 Defender > Settings > Endpoints > Advanced Features. Disable "Automatically Resolve Alerts"
Microsoft Defender for Identity
By enabling this product and configuring a 'Directory Service account documented here https://learn.microsoft.com/en-us/defender-for-identity/manage-action-accounts we can now expand protections to those attacks that span across multiple operating systems, This is important because identifying attacks that span multiple systems requires repeated root cause and initial access to be completed. However, with MDI integrated into Defender for Endpoint we can now detect lateral movement between assets with contextual information provided at the front of the alert.
Configure SAM-R Required Permissions
Within Group Policy Editor: Navigate to Computer configuration > Windows settings > Security settings >Local policies > Security options select the policy name 'Network access - Restrict clients allowed to make remote calls to SAM' and add the identity you already established as a discovery account for MDI.
Summary
In summary, we have converged all the basis controls you are required to enable in order to maximise protection available to an endpoint, Next we will take a brief look at using MCAS to enforce application control and finally dive into hundreds of use cases for a Microsoft Sentinel integration.
Introduction This blog series will capture how to maximise the protection of an endpoint using the various technologies in the Defender suite. The controls outlined in the series will each need to have their own considerations taken into account for a given environment but hopefully at a minimum it will be clear just how powerful of an offering Microsoft has. Unfortunately due to the highly modular and distinct diversity in controls Microsoft offers things are often overlooked and misconfigured when tests are conducted. With this in mind, the shortest possible route to a solution for this is utilizing the recommendations, CSPM and Secure Score technology contained within Defender 365 and Defender for Cloud as it will automatically conduct posture assessments and inform you of things you have missed and may want to turn on (IE dont take these recommendations lightly) Lastly, I would recommend reading the book “Defender for Endpoint in depth” from packt as it showcases the complexitie
Introduction Tired of watching you and your friends get compromised, do exactly what's in this blog and start beating adversaries. Avoiding the memes adversaries win because of simple mistakes and neglect and we all already know what they are so I'm going to list them for you. Its all for free too. Enumerate To put it simply, there shouldn't be anything you don't know about your environment, you should know who all your users are, where all your electronic devices are and what they do, what applications you have and what versions they are. Enumeration is the jet fuel for making good defensive decisions. I wrote about how to enumerate your environment here Securing your estate: The First Step (goblinloot.net) . Follow these steps and become the arbitrator of your own environment Your perimeter is a bridge, not a wall Monitor your perimeter as best as you can but always assume it has already been defeated. Monitor endpoint system and process telemetry and southwest traf
Introduction This document details how an analyst should conduct investigations and triage in the normal duties of their job. It will describe concepts and logic that enable analysts to look at data, ask investigative questions, evaluate those questions and arrive at assertions about what they have found. An Alert For the most part, analysts begin their investigative work when an alert is generated. Alerts are fantastic because they are a statement that something has happened and something needs to be done about it. Typically alerts are filled with information that an analyst can then use in their investigation. Alerts are generated by detections and these detections can come in many shapes and sizes. Some just look for a particular action like someone unlocking their car door, others might have access to more context like someone who isn’t the owner of the car unlocking the door. Going even further some detections might look at how the car door was opened or at what
Introduction Now that I have covered the advanced features obtained from Defender for Cloud and the complexities of Defender for Endpoint with the objective of delivering as much protection as possible to the endpoint, I will now explore how to expand on this greatly and open up even more use cases. Microsoft Sentinel This technology will allow us to unify and correlate data generated by other controls. I have decided to deploy Microsoft Sentinel into 4 primary categories : System Administrator - Asset Uptime, Application Inventory, Device configuration and Troubleshooting Network Engineers - Netflow and session traffic, violations and alerts for potential issues Threat Detection - Analytics and playbooks Threat hunting - Workbooks & Machine learning Using Microsoft Sentinel we can achieve a plethora of incredibly powerful use cases with Defender 365 endpoint data. Below is an illustration of how my SIEM works to enable analysts to prevent and detect threats Data Sources In order t
Introduction Making the leap to purchasing and maintaining an EDR solution can be huge for organisations so huge in fact that they never really progress from there when it comes to visibility on assets. This is an important consideration because organisations should aim to achieve some level of detection engineering but will likely never get to explore the associated complexities. So how can organisations effectively and easily write detections that actually help to protect them when they are only able to leverage an EDR tool. Understanding your tools limitations To most people EDR tools are incredibly verbose in the telemetry they capture from any given asset but unfortunately relative to overall telemetry available they actually only capture what the vendors think is the most pertinent. This is for obvious reasons because ingesting telemetry at the scale vendors do comes at a significant cost so they implement "cost-saving measures" like limiting the amount of any one given
Introductions How you as an analyst handle true positives is life and death in the eyes of potential victims. Traditionally the industry elected to prioritize overzealousness and sending more than not to cover their failings, This however is no different to guesses and it is possible to arrive at strong data-backed decisions on events that could be the compromise of an estate True Positive True positives exist at the heart of all our jobs, they are what we wake up for in the morning and why we endlessly pursue understanding how to protect our clients. The strictest possible definition of true positive is where an outcome of a prediction or model is returned true. This broad definition is important because the assumption carried with a predication or model can change. As an example many security technologies aim to identify when an application often unwanted by an organization is present within a system, these are commonly dubbed PUPs. (Potentially Unwanted Programs). The general cons
Introduction A commonly forgotten fact within the cybersecurity industry is that most organizations are not equipped nor have started to form any sort of security program. This is the case for many reasons because most organizations are SMBs so they don't and likely will never have funds to purchase people and technology and the fact that the cybersecurity industry is incredibly toxic for low expertise and or low capability teams as the well of knowledge we all rely on has been poisoned by vendors and 'thought leaders'. With this in mind, I have created a small resource that will guide you through what you need to do to make a start. This resource won't reference vendors and I will try to avoid specific jargon. Enumerate The term 'You can't secure what you don't know' stands strong even to this day and should be your primary focus before you do anything else. Understanding what assets, you have both physically (computer hardware) and logically (applicati
Introduction This post outlines a format for note-taking designed to aid analysts and ensure the knowledge they acquire over time is kept so that it can easily be consumed later. This format is designed to be technology agnostic so it can be applied to a note-taking tool or platform of the analyst’s choice. I designed this format because analysts often received what you could call unplanned information whereby at any given moment during their day they could learn something highly impactful to their role via any medium. This really exasperates the need for good note-taking practices for analysts. Illustrated above is the wireframe that analysts can implement into their note-taking platforms. Each section contains sub-sections that allow for different knowledge to remain segregated and more searchable. Meeting Notes Within any given week analysts can have countless meetings and so it is important to note down items from meetings for future review. Not every meeting needs to be capt
Introduction SOC analysts spend 99 percent of their time looking at the same data and patterns over and over again. They develop muscle memory that helps them use their platforms without much effort but also in grains in them potentially poor practices. Most analysts are new to the industry and are taking certifications like CompTIA Cysa+ and Azure SC200 but none of these certifications teach them what genuine malicious actions look like. So how do you train a team of people how to detect malicious activity and respond in the ever-morphing threat landscape? You throw them through the ring of fire. You make them triage real (as close as possible) incidents and appropriately monitor their behavior and progress to tune the processes perpetually. Analysts are arguably the single most important role within a SOC, they carry the burden of triaging alerts and correctly identifying whether malicious activity is occurring. They are the first, middle and last line of defense. However, despite t
