If you want to find threats earlier it is now possible to use NRT rules in Defender.
Before this, we had the options to use 24h, 12h, 3h, and 1h as the schedule. This gives Defenders the possibility to detect and respond to threat much earlier.
Tables that support Continuous (NRT) frequency
AlertEvidence
DeviceEvents
DeviceFileCertificateInfo
DeviceFileEvents
DeviceImageLoadEvents
DeviceLogonEvents
DeviceNetworkEvents
DeviceNetworkInfo
DeviceInfo
DeviceProcessEvents
DeviceRegistryEvents
EmailAttachmentInfo
EmailEvents
EmailPostDeliveryEvents
EmailUrlInfo
UrlClickEvents
The NRT rules does not support externaldata operator and you can only query one table
Configuring NRT (Continuous) Rule
From the Advanced Hunting, develop your query and click and configure the Alert Details
Click Next and select impacted entities (in this case we are using an email table and therefore the impacted entities will be mailbox)Click Next and configure the actions. It’s important to think about what the actions means and make sure your query will detect exactly what you want.
Be cautious with the Isolate device when querying Device tables. If you have an error in your detection you may isolate all machines by mistake
It’s now completed!
Don’t forget that you can use the hunting if you want to take response actions on multiple entities very quickly.
From the Result of your hunting query, select the rows where you want to take action and click Take Actions
This brings your the Actions pane and you can choose which actions you need.
Depending on your query (which tables and output) you get different options for your actions. ‘
One thing that threat actors commonly do when getting a foothold on a device, is to try to disable Defender services and adding exclusions for their tools which they plan to execute.
For the Defender services, we have had Tamper Protection for some time, but that did not cover exclusions.
Tamper Protection configuration via Intune
Requirements
For Tamper Protection to cover exclusions, the following requirements must be met:
Devices are running Windows Defender platform 4.18.2211.5 or later
The registry value TPExclusions which is in the HKLM\SOFTWARE\Microsoft\Windows Defender\Features key shows a value of 1 if protected and 0 if not protected. Please note that you cannot change the registry value to protect the exclusions, it’s for information and not configuration
While we talk about Antivirus policies…
We would like to share this as well since it’s something we see when we do Defender assessments, it’s unfortunately very common that these settings are wrong
Cloud block level (high is recommended minimum) and Cloud Extended Timeout check must be set to 50 (seconds)
Sample submission is required for Cloud protection
One challenge with configuring Windows firewall (besides default of block inbound and allow outbound) is that we need the data. Before Defender for Endpoint we had to rely on event forward and similar techniques to get the data of the environment.
Microsoft has recently released a Defender Firewall (Windows Firewall) report where we can see the events. This has some prerequisites in terms of audit settings (Windows audit settings, not the firewall log)
Configure firewall auditing
Enable auditing for Filtering platform
Always verify eventual impact in your environment before enabling new settings on all endpoints
To get the data, it requires the device to be onboarded to MDE
The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP). Microsoft is named a leader!
With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.
Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.
Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.
The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP, Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.
Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.
Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.
In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.
Gartner
The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.
Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.
The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.
Automated investigations
Build your playbooks
Take back the control with live response
We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate
Alright, since I happen to be in a blog mode I keep the posts coming.
This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.
So what’s this Exploit Guard?
Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.
Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements
Component
Details
Attack Surface Reduction (ASR)
A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection
Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder Access
Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit Protection
A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications
Example of ASR rules
• Block Office apps from creating executable content • Block Office apps from launching child process • Block Office apps from injecting into process • Block Win32 imports from macro code in Office • Block obfuscated macro code
Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.
If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.
This following dashboard is a part from the Monitor and Report section in the portal
Back to Defender ATP and the hunting which this post was supposed to be all about.
We have published some posts now about hunting custom alerts.
In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.
We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.
Examples from the output:
AsrOfficeMacroWin32ApiCallsAudited
AsrPsexecWmiChildProcessBlocked
ControlledFolderAccessViolationBlocked
ExploitGuardAcgAudited
ExploitGuardChildProcessAudited
ExploitGuardNetworkProtectionBlocked
ExploitGuardNonMicrosoftSignedAudited
ExploitGuardWin32SystemCallBlocked
SmartScreenAppWarning
SmartScreenUrlWarning
SmartScreenUserOverride
Interesting note “SmartScreenUserOverride” is a separate event which you can query
When we had the raw Actiontypes we created the query to cover as much as we could.
//Happy Hunting
MiscEvents
| where ActionType contains "asr" or
ActionType contains "Exploit" or
ActionType contains "SmartScreen" or
ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,
FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId
We are also parsing AdditionalFields to be able to add extra value to events which contained such data.
From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment
Today Microsoft announced that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 8.1 Enterprise
Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and of ATP and it’s not possible to upgrade the machines.
The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
