Defender Lab Notes 1 (Mgmt & Config, RBAC, Prevention, ASR&NGP, Detection, Invesitigation, Response)

This is the post to collect some Notes from a lab practice.

Management

Endpoint Security Stack:

Antivirus
Disk Encryption
Firewall
Endpoint Detection & Response
Attack Surface Reduction
Device Control
Web Protection
Network Protection

Management Architecture

Microsoft Endpoint Manager (MDM) = Microsoft Intune admin Center

Antivirus
Disk Encryption
Firewall
Endpoint Detection and Response
Endpoint Privilege Management
Account Protection
App Control
Attack surface reduction
Device Compliance
Conditional Access

MDE Configuration Management:

Integrate with Intune

If MDE was not configured properly to connect to Intune, you will get following screenshot to show no connection and no last sync.

From : https://security.microsoft.com/securitysettings/endpoints/

From Intune: https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/

RBAC

Example:

Organization Chart with RBAC Role, Device Tag, Device Name

1. RBAC

Best practice:

1. Create Azure AD User Groups

2. Configure MDE RBAC

3. Create Device Tags

4. Create Device Groups

Microsoft Defender - System - settings - Endpoints - Permissions - Roles

Device Group

Microsoft Defender - System - settings - Endpoints - Permissions - Device groups

It will take some time to show the device numbers in the group.

Onboarding

Auto Enroll for Azure Environment:

Azure AD / Entra ID - Manage - Mobility (MDM and WIP) - Microsoft Intune

Device onboarded by MDE

https://security.microsoft.com/

Use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices not enrolled with Intune

https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration

How does it work?

Devices onboard to Microsoft Defender for Endpoint.
Devices communicate with Intune. This communication enables Microsoft Intune to distribute policies that are targeted to the devices when they check in.
A registration is established for each device in Microsoft Entra ID:
- If a device previously was fully registered, like a Hybrid Join device, the existing registration is used.
- For devices that aren't registered, a synthetic device identity is created in Microsoft Entra ID to enable the device to retrieve policies. When a device with a synthetic registration has a full Microsoft Entra registration created for it, the synthetic registration is removed and the devices management continues on uninterrupted by using the full registration.
Defender for Endpoint reports the status of the policy back to Microsoft Intune.

Device onboarded by Intune

https://intune.microsoft.com/#home

Create a

Assign to all users or specific group(s):

Add all users and all devices for assignment.

Manually onboarding single device / user.

We can use SCCM, MDE, Intune to push deployment packages to endpoints.

For those orphan devices, there is local script for different OS to be downloaded and installed on them.

Off-boarding

Once onboarded, it will show last report time and will become inactive status after 7 days.

Inactive device

but can't delete it

It will be auto-purged in 6 months.

Command line:

get-mppreference

PS C:\Users\nestorw> Get-MpPreference

AllowDatagramProcessingOnWinServer : False
AllowNetworkProtectionDownLevel : False
AllowNetworkProtectionOnWinServer : False
AllowSwitchToAsyncInspection : False
ApplyDisableNetworkScanningToIOAV : False
AttackSurfaceReductionOnlyExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_Actions : {1, 1, 1, 1...}
AttackSurfaceReductionRules_Ids : {01443614-cd74-433a-b99e-2ecdc07bfc25,
01443614-CD74-433A-B99E2ECDC07BFC25,
26190899-1602-49e8-8b27-eb1d0a1ce869,
3B576869-A4EC-4529-8536-B80A7769E899...}
AttackSurfaceReductionRules_RuleSpecificExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_RuleSpecificExclusions_Id : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionAggressiveness : 0
BruteForceProtectionConfiguredState : 0
BruteForceProtectionExclusions : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionLocalNetworkBlocking : False
BruteForceProtectionMaxBlockTime : 0
BruteForceProtectionSkipLearningPeriod : False
CheckForSignaturesBeforeRunningScan : False
CloudBlockLevel : 2
CloudExtendedTimeout : 50
ComputerID : 53478E7B-6656-4EC1-AC79-1BDE55590FE3
ControlledFolderAccessAllowedApplications : {N/A: Must be an administrator to view exclusions}
ControlledFolderAccessDefaultProtectedFolders : {N/A: Must be an administrator to view default protected
folders}
ControlledFolderAccessProtectedFolders :
DefinitionUpdatesChannel : 0
DisableArchiveScanning : False
DisableAutoExclusions : False
DisableBehaviorMonitoring : False
DisableBlockAtFirstSeen : False
DisableCacheMaintenance : False
DisableCatchupFullScan : True
DisableCatchupQuickScan : True
DisableCoreServiceECSIntegration : False
DisableCoreServiceTelemetry : False
DisableCpuThrottleOnIdleScans : True
DisableDatagramProcessing : False
DisableDnsOverTcpParsing : False
DisableDnsParsing : False
DisableEmailScanning : False
DisableFtpParsing : False
DisableGradualRelease : False
DisableHttpParsing : False
DisableInboundConnectionFiltering : False
DisableIOAVProtection : False
DisableNetworkProtectionPerfTelemetry : False
DisablePrivacyMode : False
DisableQuicParsing : False
DisableRdpParsing : False
DisableRealtimeMonitoring : False
DisableRemovableDriveScanning : False
DisableRestorePoint : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : False
DisableSmtpParsing : False
DisableSshParsing : False
DisableTamperProtection : False
DisableTlsParsing : False
EnableControlledFolderAccess : 1
EnableConvertWarnToBlock : False
EnableDnsSinkhole : True
EnableEcsConfiguration : False
EnableFileHashComputation : False
EnableFullScanOnBatteryPower : False
EnableLowCpuPriority : False
EnableNetworkProtection : 1
EnableUdpReceiveOffload : False
EnableUdpSegmentationOffload : False
EngineUpdatesChannel : 3
ExclusionExtension : {N/A: Must be an administrator to view exclusions}
ExclusionIpAddress : {N/A: Must be an administrator to view exclusions}
ExclusionPath : {N/A: Must be an administrator to view exclusions}
ExclusionProcess : {N/A: Must be an administrator to view exclusions}
ForceUseProxyOnly : False
HideExclusionsFromLocalUsers : True
HighThreatDefaultAction : 0
IntelTDTEnabled :
LowThreatDefaultAction : 0
MAPSReporting : 2
MeteredConnectionUpdates : False
ModerateThreatDefaultAction : 0
NetworkProtectionReputationMode : 0
OobeEnableRtpAndSigUpdate : False
PerformanceModeStatus : 1
PlatformUpdatesChannel : 3
ProxyBypass :
ProxyPacUrl :
ProxyServer :
PUAProtection : 1
QuarantinePurgeItemsAfterDelay : 90
QuickScanIncludeExclusions : 0
RandomizeScheduleTaskTimes : True
RealTimeScanDirection : 0
RemediationScheduleDay : 0
RemediationScheduleTime : 02:00:00
RemoteEncryptionProtectionAggressiveness : 0
RemoteEncryptionProtectionConfiguredState : 0
RemoteEncryptionProtectionExclusions : {N/A: Must be an administrator to view exclusions}
RemoteEncryptionProtectionMaxBlockTime : 0
RemoveScanningThreadPoolCap : False
ReportDynamicSignatureDroppedEvent : False
ReportingAdditionalActionTimeOut : 10080
ReportingCriticalFailureTimeOut : 10080
ReportingNonCriticalTimeOut : 1440
ScanAvgCPULoadFactor : 50
ScanOnlyIfIdleEnabled : True
ScanParameters : 1
ScanPurgeItemsAfterDelay : 15
ScanScheduleDay : 0
ScanScheduleOffset : 120
ScanScheduleQuickScanTime : 00:00:00
ScanScheduleTime : 02:00:00
SchedulerRandomizationTime : 4
ServiceHealthReportInterval : 60
SevereThreatDefaultAction : 0
SharedSignaturesPath :
SharedSignaturesPathUpdateAtScheduledTimeOnly : False
SignatureAuGracePeriod : 0
SignatureBlobFileSharesSources :
SignatureBlobUpdateInterval : 60
SignatureDefinitionUpdateFileSharesSources :
SignatureDisableUpdateOnStartupWithoutEngine : False
SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 3
SubmitSamplesConsent : 1
ThreatIDDefaultAction_Actions :
ThreatIDDefaultAction_Ids :
ThrottleForScheduledScanOnly : True
TrustLabelProtectionStatus : 0
UILockdown : False
UnknownThreatDefaultAction : 0
PSComputerName :

PS C:\Users\nestorw>

Here are ways to check the sensor to see if system is offboarded. I have not run these to double check. For Windows:

sc query sense

C:\Users\nestorw>sc query sense

SERVICE_NAME: sense
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Users\nestorw>

If the sense service is not found or is stopped, the device might be off-boarded.

Check the Registry:
- Open Registry Editor (regedit).
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
- Look for the OnboardingState value. If it is set to 0, the device is off-boarded.
Event Logs:
- Open Event Viewer.
- Navigate to Applications and Services Logs > Microsoft > Windows > SENSE > Operational.
- Look for Event ID 20 or 44, which indicate off-boarding events.

Get-MpComputerStatus Will let you know what mode and a host of other information on MDE running on the device.

Next Generation Protection

Attack Surface Reduction

Resist attacks and exploitations

HW based isolation
Application control
Exploit protection
Network protection
Controlled folder access
Device control
Web protection
Ransomware protection

What is used for:

Isolate access to untrusted sites
Isolate access to untrusted Office files
Host intrusion prevention
Exploit mitigation
Ransomware protection for your files
Block traffic to low reputation destinations
Protect your legacy applications
Only allow trusted applications to run

Attack Surface Reduction (ASR) Rules

Minimize the attack surface: Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as behavior of Office macros.

Productivity apps rules

Block Office apps from creating executable content
Block Office apps from creating child processes
Block Office apps from injecting code into other processes
Block Win32 API calls from Office macros
Block Adobe Reader from creating child processes

Email rule

Block executable content from email client and webmail
Block only Office communication applications from creating child processes

Script rules

Block obfuscated JS/VBS/PS/macro code
Block JS/VBS from launching downloaded executable content

Polymorphic threats

Block executable files from running unless they meet a prevalence (1000 machines), age (24hrs), or trusted list criteria
Block untrusted and unsigned processes that run from USB
Use advanced protection against ransomware

Lateral movement & credential theft

Block process creations originating from PSExecand WMI commands
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block persistence through WMI event subscription

Web Threat Protection Architecture

Detection & Response

Endpoint Detection & Response:

Correlated post-breach detection
Investigation experience
Incident
Advanced hunting
Response actions (+EDR blocks)
Deep file analysis
Live response
Threat analytics

Live Response

Real-time live connection to a remote system
Leverage Microsoft Defender for Endpoint Auto IR library (memory dump, MFT analysis, raw filesystem access, etc.)

Extended remediation command + easy undo

Full audit
Extendable (write your own command, build your own tool)
RBAC+ Permissions

Microsoft 365 Defender Automated Investigation & Response (AIR)

Microsoft AIR mimics these steps using 15 built-in investigations playbooks and 20 remediation actions

No AIR defined Playbook in Defender. But you can define your own playbook in Sentinel.

What response actions should be covered?

Response Actions on a Device

1. Manage tags

2. Initiate Automated Investigation

3. Initiate Live Response Session

4. Collect investigation package from devices

5. Run Microsoft Defender Antivirus scan on devices

6. Restrict app execution

7. Isolate devices from the network

8. Contain devices from the network

9. Consult a threat expert

10. Check activity details in Action center

11. Turn on Troubleshooting mode

Take response actions on a device: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts

Response actions on a file

1. Stop and quarantine files in your network

2. Restore file from quarantine

3. Download or collect file

4. Add indicator to block or allow a file

5. Consult a threat expert

6. Check activity details in Action center

7. Deep analysis

Take response actions on a file: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts

Reports

Prevention

Features How to Demonstrate

Windows Defender Exploit Guard Attack Surface Reduction Rules Attack Surface Reduction - Microsoft Defender

Windows Defender Exploit Guard Controlled Folder Access Controlled Folder Access - Microsoft Defender

Windows Defender Exploit Guard Network Protection Network Protection - Microsoft Defender

Windows Defender SmartScreen URL Reputation UrlRep - Microsoft Defender

Windows Defender SmartScreen App Reputation AppRep - Microsoft Defender Testground

Microsoft Defender for Endpoint Web Content Filtering Demo (Block SNS & Access to ex. facebook.com)

Microsoft Defender for Endpoint Indicators (URL / IP / Domain)

Demo (Specify URL & Access to the URL)

*There may be up to 2 hours of latency

Attack Surface Reduction (ASR)

ASR Rules in Intune:

URL Filtering, and

Anti Virus

Investigation

Detection & Investigation

Review incident & Alerts

Results of review:

Actions:

1. isolate device

2. Copilot for security

3. Alerts

4. File submission as indicator

5. virustotal hash

6. Auto invesitigation

Notification

Normal Notification

Create Incident Alert

Create vulnerability alert

References

Supported Microsoft Defender for Endpoint capabilities by platform
Investigate entities on devices using live response
Microsoft Defender for Endpoint - demonstration scenarios - https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstrations

Next generation protection

Microsoft Defender Antivirus: Your next generation protection
Learn about our approach to fileless threats
Stopping attacks in their tracks through behavioral blocking and containment
EDR in block mode
Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner

Architecture

Understand the architecture of the service

Onboarding

Onboarding machines
Deploy Microsoft Defender ATP for Mac in just a few clicks
Deploy Microsoft Defender ATP in rings
Microsoft Defender for Endpoint for iOS
Microsoft Defender for Endpoint for Linux
Onboarding and servicing non-persistent VDI machines
Configuring Microsoft Defender Antivirus for non-persistent VDI machines

Grant and control access

Use basic permissions to access the portal
How to use RBAC
How to use tagging effectively (Part 1)
How to use tagging effectively (Part 2)
How to use tagging effectively (Part 3)
Multi-tenant access for Managed Security Service Providers
Step-by-step: Multi-tenant access for Managed Security Service Providers

Security configuration

Use Microsoft Endpoint Manager to manage security configuration
Manage Microsoft Defender Firewall with Microsoft Defender ATP and Microsoft Intune
Turn on tamper protection
Co-Management

Attack Surface Reduction

Learn about all the features to help you reduce the attack surface
Track and regulate access to websites with web content filtering
Learn more about Application control
Get a better understanding of Network protection
Understand attack surface reduction rules
How to configure attack surface reduction rules and how to use exclusions
How to report and troubleshoot Microsoft Defender ATP ASR Rules
Migrate from a 3rd party HIPS solution into ASR rules
Reputation analysis - Microsoft Defender SmartScreen

Next generation protection

Microsoft Defender Antivirus: Your next generation protection
Learn about our approach to fileless threats
Stopping attacks in their tracks through behavioral blocking and containment
EDR in block mode
Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner

Responding to threats

Overview of live response
Investigate entities on devices using live response
Response actions on machines
Response actions on a file

Jeffrey Appel MDE : https://jeffreyappel.nl/tag/mde-series/

Latest

NETSEC

Friday, October 4, 2024

Defender Lab Notes 1 (Mgmt & Config, RBAC, Prevention, ASR&NGP, Detection, Invesitigation, Response)

Management

Endpoint Security Stack:

Management Architecture

MDE Configuration Management:

Integrate with Intune

RBAC

Best practice:

Device Group

Onboarding

Auto Enroll for Azure Environment:

Device onboarded by MDE

Use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices not enrolled with Intune

Device onboarded by Intune

Off-boarding

Next Generation Protection

Attack Surface Reduction

Detection & Response

Live Response

Response Actions on a Device

Response actions on a file

Reports

Prevention

Investigation

Notification

References

Subscribe via email

No comments:

Post a Comment

Search

About + Social

NETSEC Blog

Categories

Popular

Recent Comments

51SEC Sites

Blog Archive

Translate

Pages

Contact Us

YouTube