This is the post to collect some Notes from a lab practice.
Management
Endpoint Security Stack:
- Antivirus
- Disk Encryption
- Firewall
- Endpoint Detection & Response
- Attack Surface Reduction
- Device Control
- Web Protection
- Network Protection
Management Architecture
Microsoft Endpoint Manager (MDM) = Microsoft Intune admin Center
- Antivirus
- Disk Encryption
- Firewall
- Endpoint Detection and Response
- Endpoint Privilege Management
- Account Protection
- App Control
- Attack surface reduction
- Device Compliance
- Conditional Access
MDE Configuration Management:
Integrate with Intune
If MDE was not configured properly to connect to Intune, you will get following screenshot to show no connection and no last sync.
From : https://security.microsoft.com/securitysettings/endpoints/
From Intune: https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/
RBAC
Example:
Organization Chart with RBAC Role, Device Tag, Device Name
1. RBAC
Best practice:
1. Create Azure AD User Groups
2. Configure MDE RBAC
3. Create Device Tags
4. Create Device Groups
Microsoft Defender – System – settings – Endpoints – Permissions – Roles
Device Group
Microsoft Defender – System – settings – Endpoints – Permissions – Device groups
It will take some time to show the device numbers in the group.
Onboarding
Auto Enroll for Azure Environment:
Azure AD / Entra ID – Manage – Mobility (MDM and WIP) – Microsoft Intune
Device onboarded by MDE
https://security.microsoft.com/
Use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices not enrolled with Intune
https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration
How does it work?
- Devices onboard to Microsoft Defender for Endpoint.
- Devices communicate with Intune. This communication enables Microsoft Intune to distribute policies that are targeted to the devices when they check in.
- A registration is established for each device in Microsoft Entra ID:
- If a device previously was fully registered, like a Hybrid Join device, the existing registration is used.
- For devices that aren’t registered, a synthetic device identity is created in Microsoft Entra ID to enable the device to retrieve policies. When a device with a synthetic registration has a full Microsoft Entra registration created for it, the synthetic registration is removed and the devices management continues on uninterrupted by using the full registration.
- Defender for Endpoint reports the status of the policy back to Microsoft Intune.
Device onboarded by Intune
https://intune.microsoft.com/#home
Assign to all users or specific group(s):
Manually onboarding single device / user.
We can use SCCM, MDE, Intune to push deployment packages to endpoints.
For those orphan devices, there is local script for different OS to be downloaded and installed on them.
Off-boarding
Off-boarding
Once onboarded, it will show last report time and will become inactive status after 7 days.
Inactive device
but can’t delete it
It will be auto-purged in 6 months.
Command line:
PS C:\Users\nestorw> Get-MpPreference
AllowDatagramProcessingOnWinServer : False
AllowNetworkProtectionDownLevel : False
AllowNetworkProtectionOnWinServer : False
AllowSwitchToAsyncInspection : False
ApplyDisableNetworkScanningToIOAV : False
AttackSurfaceReductionOnlyExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_Actions : {1, 1, 1, 1…}
AttackSurfaceReductionRules_Ids : {01443614-cd74-433a-b99e-2ecdc07bfc25,
01443614-CD74-433A-B99E2ECDC07BFC25,
26190899-1602-49e8-8b27-eb1d0a1ce869,
3B576869-A4EC-4529-8536-B80A7769E899…}
AttackSurfaceReductionRules_RuleSpecificExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_RuleSpecificExclusions_Id : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionAggressiveness : 0
BruteForceProtectionConfiguredState : 0
BruteForceProtectionExclusions : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionLocalNetworkBlocking : False
BruteForceProtectionMaxBlockTime : 0
BruteForceProtectionSkipLearningPeriod : False
CheckForSignaturesBeforeRunningScan : False
CloudBlockLevel : 2
CloudExtendedTimeout : 50
ComputerID : 53478E7B-6656-4EC1-AC79-1BDE55590FE3
ControlledFolderAccessAllowedApplications : {N/A: Must be an administrator to view exclusions}
ControlledFolderAccessDefaultProtectedFolders : {N/A: Must be an administrator to view default protected
folders}
ControlledFolderAccessProtectedFolders :
DefinitionUpdatesChannel : 0
DisableArchiveScanning : False
DisableAutoExclusions : False
DisableBehaviorMonitoring : False
DisableBlockAtFirstSeen : False
DisableCacheMaintenance : False
DisableCatchupFullScan : True
DisableCatchupQuickScan : True
DisableCoreServiceECSIntegration : False
DisableCoreServiceTelemetry : False
DisableCpuThrottleOnIdleScans : True
DisableDatagramProcessing : False
DisableDnsOverTcpParsing : False
DisableDnsParsing : False
DisableEmailScanning : False
DisableFtpParsing : False
DisableGradualRelease : False
DisableHttpParsing : False
DisableInboundConnectionFiltering : False
DisableIOAVProtection : False
DisableNetworkProtectionPerfTelemetry : False
DisablePrivacyMode : False
DisableQuicParsing : False
DisableRdpParsing : False
DisableRealtimeMonitoring : False
DisableRemovableDriveScanning : False
DisableRestorePoint : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : False
DisableSmtpParsing : False
DisableSshParsing : False
DisableTamperProtection : False
DisableTlsParsing : False
EnableControlledFolderAccess : 1
EnableConvertWarnToBlock : False
EnableDnsSinkhole : True
EnableEcsConfiguration : False
EnableFileHashComputation : False
EnableFullScanOnBatteryPower : False
EnableLowCpuPriority : False
EnableNetworkProtection : 1
EnableUdpReceiveOffload : False
EnableUdpSegmentationOffload : False
EngineUpdatesChannel : 3
ExclusionExtension : {N/A: Must be an administrator to view exclusions}
ExclusionIpAddress : {N/A: Must be an administrator to view exclusions}
ExclusionPath : {N/A: Must be an administrator to view exclusions}
ExclusionProcess : {N/A: Must be an administrator to view exclusions}
ForceUseProxyOnly : False
HideExclusionsFromLocalUsers : True
HighThreatDefaultAction : 0
IntelTDTEnabled :
LowThreatDefaultAction : 0
MAPSReporting : 2
MeteredConnectionUpdates : False
ModerateThreatDefaultAction : 0
NetworkProtectionReputationMode : 0
OobeEnableRtpAndSigUpdate : False
PerformanceModeStatus : 1
PlatformUpdatesChannel : 3
ProxyBypass :
ProxyPacUrl :
ProxyServer :
PUAProtection : 1
QuarantinePurgeItemsAfterDelay : 90
QuickScanIncludeExclusions : 0
RandomizeScheduleTaskTimes : True
RealTimeScanDirection : 0
RemediationScheduleDay : 0
RemediationScheduleTime : 02:00:00
RemoteEncryptionProtectionAggressiveness : 0
RemoteEncryptionProtectionConfiguredState : 0
RemoteEncryptionProtectionExclusions : {N/A: Must be an administrator to view exclusions}
RemoteEncryptionProtectionMaxBlockTime : 0
RemoveScanningThreadPoolCap : False
ReportDynamicSignatureDroppedEvent : False
ReportingAdditionalActionTimeOut : 10080
ReportingCriticalFailureTimeOut : 10080
ReportingNonCriticalTimeOut : 1440
ScanAvgCPULoadFactor : 50
ScanOnlyIfIdleEnabled : True
ScanParameters : 1
ScanPurgeItemsAfterDelay : 15
ScanScheduleDay : 0
ScanScheduleOffset : 120
ScanScheduleQuickScanTime : 00:00:00
ScanScheduleTime : 02:00:00
SchedulerRandomizationTime : 4
ServiceHealthReportInterval : 60
SevereThreatDefaultAction : 0
SharedSignaturesPath :
SharedSignaturesPathUpdateAtScheduledTimeOnly : False
SignatureAuGracePeriod : 0
SignatureBlobFileSharesSources :
SignatureBlobUpdateInterval : 60
SignatureDefinitionUpdateFileSharesSources :
SignatureDisableUpdateOnStartupWithoutEngine : False
SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 3
SubmitSamplesConsent : 1
ThreatIDDefaultAction_Actions :
ThreatIDDefaultAction_Ids :
ThrottleForScheduledScanOnly : True
TrustLabelProtectionStatus : 0
UILockdown : False
UnknownThreatDefaultAction : 0
PSComputerName :
PS C:\Users\nestorw>
Here are ways to check the sensor to see if system is offboarded. I have not run these to double check. For Windows:
C:\Users\nestorw>sc query sense
SERVICE_NAME: sense
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Users\nestorw>
- If the
senseservice is not found or is stopped, the device might be off-boarded.
- Check the Registry:
- Open Registry Editor (
regedit). - Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status. - Look for the
OnboardingStatevalue. If it is set to0, the device is off-boarded.
- Open Registry Editor (
- Event Logs:
- Open Event Viewer.
- Navigate to
Applications and Services Logs > Microsoft > Windows > SENSE > Operational. - Look for Event ID 20 or 44, which indicate off-boarding events.
Get-MpComputerStatus Will let you know what mode and a host of other information on MDE running on the device.
Next Generation Protection
Attack Surface Reduction
Resist attacks and exploitations
- HW based isolation
- Application control
- Exploit protection
- Network protection
- Controlled folder access
- Device control
- Web protection
- Ransomware protection
What is used for:
- Isolate access to untrusted sites
- Isolate access to untrusted Office files
- Host intrusion prevention
- Exploit mitigation
- Ransomware protection for your files
- Block traffic to low reputation destinations
- Protect your legacy applications
- Only allow trusted applications to run
Attack Surface Reduction (ASR) Rules
Minimize the attack surface: Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as behavior of Office macros.
Productivity apps rules
- Block Office apps from creating executable content
- Block Office apps from creating child processes
- Block Office apps from injecting code into other processes
- Block Win32 API calls from Office macros
- Block Adobe Reader from creating child processes
Email rule
- Block executable content from email client and webmail
- Block only Office communication applications from creating child processes
Script rules
- Block obfuscated JS/VBS/PS/macro code
- Block JS/VBS from launching downloaded executable content
Polymorphic threats
- Block executable files from running unless they meet a prevalence (1000 machines), age (24hrs), or trusted list criteria
- Block untrusted and unsigned processes that run from USB
- Use advanced protection against ransomware
Lateral movement & credential theft
- Block process creations originating from PSExecand WMI commands
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block persistence through WMI event subscription
Web Threat Protection Architecture
Detection & Response
Endpoint Detection & Response:
- Correlated post-breach detection
- Investigation experience
- Incident
- Advanced hunting
- Response actions (+EDR blocks)
- Deep file analysis
- Live response
- Threat analytics
Live Response
- Real-time live connection to a remote system
- Leverage Microsoft Defender for Endpoint Auto IR library (memory dump, MFT analysis, raw filesystem access, etc.)
- Extended remediation command + easy undo
- Full audit
- Extendable (write your own command, build your own tool)
- RBAC+ Permissions
Microsoft 365 Defender Automated Investigation & Response (AIR)
Microsoft AIR mimics these steps using 15 built-in investigations playbooks and 20 remediation actions
No AIR defined Playbook in Defender. But you can define your own playbook in Sentinel.
What response actions should be covered?
Response Actions on a Device
1. Manage tags
2. Initiate Automated Investigation
3. Initiate Live Response Session
4. Collect investigation package from devices
5. Run Microsoft Defender Antivirus scan on devices
6. Restrict app execution
7. Isolate devices from the network
8. Contain devices from the network
9. Consult a threat expert
10. Check activity details in Action center
11. Turn on Troubleshooting mode
Take response actions on a device: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts
Response actions on a file
1. Stop and quarantine files in your network
2. Restore file from quarantine
3. Download or collect file
4. Add indicator to block or allow a file
5. Consult a threat expert
6. Check activity details in Action center
7. Deep analysis
Take response actions on a file: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts
Features How to Demonstrate
Windows Defender Exploit Guard Attack Surface Reduction Rules Attack Surface Reduction – Microsoft Defender
Windows Defender Exploit Guard Controlled Folder Access Controlled Folder Access – Microsoft Defender
Windows Defender Exploit Guard Network Protection Network Protection – Microsoft Defender
Windows Defender SmartScreen URL Reputation UrlRep – Microsoft Defender
Windows Defender SmartScreen App Reputation AppRep – Microsoft Defender Testground
Microsoft Defender for Endpoint Web Content Filtering Demo (Block SNS & Access to ex. facebook.com)
Microsoft Defender for Endpoint Indicators (URL / IP / Domain)
Demo (Specify URL & Access to the URL)
*There may be up to 2 hours of latency
Attack Surface Reduction (ASR)
ASR Rules in Intune:
URL Filtering, and
Anti Virus
Investigation
Detection & Investigation
Review incident & Alerts
Results of review:
Actions:
1. isolate device
2. Copilot for security
3. Alerts
4. File submission as indicator
5. virustotal hash
6. Auto invesitigation
Notification
Normal Notification
Create vulnerability alert
References
Next generation protection
- Microsoft Defender Antivirus: Your next generation protection
- Learn about our approach to fileless threats
- Stopping attacks in their tracks through behavioral blocking and containment
- EDR in block mode
- Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner
Architecture
- Understand the architecture of the service
Onboarding
- Onboarding machines
- Deploy Microsoft Defender ATP for Mac in just a few clicks
- Deploy Microsoft Defender ATP in rings
- Microsoft Defender for Endpoint for iOS
- Microsoft Defender for Endpoint for Linux
- Onboarding and servicing non-persistent VDI machines
- Configuring Microsoft Defender Antivirus for non-persistent VDI machines
Grant and control access
- Use basic permissions to access the portal
- How to use RBAC
- How to use tagging effectively (Part 1)
- How to use tagging effectively (Part 2)
- How to use tagging effectively (Part 3)
- Multi-tenant access for Managed Security Service Providers
- Step-by-step: Multi-tenant access for Managed Security Service Providers
Security configuration
- Use Microsoft Endpoint Manager to manage security configuration
- Manage Microsoft Defender Firewall with Microsoft Defender ATP and Microsoft Intune
- Turn on tamper protection
- Co-Management
Attack Surface Reduction
- Learn about all the features to help you reduce the attack surface
- Track and regulate access to websites with web content filtering
- Learn more about Application control
- Get a better understanding of Network protection
- Understand attack surface reduction rules
- How to configure attack surface reduction rules and how to use exclusions
- How to report and troubleshoot Microsoft Defender ATP ASR Rules
- Migrate from a 3rd party HIPS solution into ASR rules
- Reputation analysis – Microsoft Defender SmartScreen
Next generation protection
- Microsoft Defender Antivirus: Your next generation protection
- Learn about our approach to fileless threats
- Stopping attacks in their tracks through behavioral blocking and containment
- EDR in block mode
- Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner
Responding to threats
- Overview of live response
- Investigate entities on devices using live response
- Response actions on machines
- Response actions on a file
![[5 Mins Docker] Deploy a free, simple and safe honeypot with Own Domain – HFISH – 51 Security](https://i0.wp.com/i.51sec.org/202309/96435237_1481507445353308_3640914368901677056_n.png?w=1200&resize=1200,0&ssl=1 "[5 Mins Docker] Deploy a free, simple and safe honeypot with Own Domain – HFISH – 51 Security")
![[5 Mins Docker] Create Your Own Looking-Glass Website Deploying on Northflank Free Tier – 51 Security](https://i2.wp.com/i.51sec.org/202309/chrome_FYnbyx1sfw.png?w=1200&resize=1200,0&ssl=1 "[5 Mins Docker] Create Your Own Looking-Glass Website Deploying on Northflank Free Tier – 51 Security")
