When working with Incident Response you from time to time find artifacts that you need to block, IP Addresses or specific URLs. Instead of doing this on the proxies or firewalls its often more efficient to do this on the endpoint level to catch roaming machines where ever they are. In some cases you also work with other TI vendors and get IPs and URLs you want to block and build automation around. This feature is currently in preview
So, with WDATP you can now block or allow IPs and Urls.
For this feature to work you need to have some prerequisites
- Windows 10 1709 Pro, E3/E5 or Edu
- Windows Defender Network Protection
- Windows Defender AV
- Cloud Delivered Protection Enabled
It’s possible to enable Network Protection in several ways
- Group Policy
- System Center Configuration Manager
- Intune / MDM
For detailed steps for each method
In our case we will just leverage PowerShell. To set and verify its configured
Set-MpPreference -EnableNetworkProtection Enabled
Get-MpPreference | fl
Once you have prepared the endpoint you can go to the MDATP Portal and add your IPs/URLs
- Navigate to Settings > Rules > Indicators.
- Select the IP Address tab to view the list of IP’s.
- Select the URLs/Domains to view the list of URLs/domains.
In this tutorial we will Add a URL but the same procedure would apply for an IP.
1. Click on Add Indicator
2. Enter a url and select if you want the block to expire
3. Add an Action as you like and descriptive texts as you want to have with your alerts. In this case we want to block and get an alert for this.
4. Select Scope, in this case we will select all machines but if you have built a structure with Machine Groups you can select to target specific machine groups where this will apply.
5. On the Summary screen click Save.
Note: from entering an IP/URL it can take some time for it to propagate to the endpoints and when it comes to removal it may even take a bit longer.
So when this has propagated to the endpoints we can test it out and see how this looks on the endpoint.
When browsing to the URL the end user will be notified about that something is blocked with a toast notification and an event log entry will also be logged.
If you want to customize the toast notifications for Windows Defender you can do that with updated group policy templates more information on that here. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications
To create a custom view in event viewer use this url reference.
In our case an alert will also be triggered in in the MDATP console as well where we can continue our investigation. I hope this gave a little valuable insight on this feature.
Pingback: Blocking MCAS Unsanctioned Apps at the Endpoint with MDATP. – SEC-LABS R&D
is it possible to whitelist an url who is blocked by network protection