This is the post to collect some Notes from a lab practice.
Management
Endpoint Security Stack:
- Antivirus
- Disk Encryption
- Firewall
- Endpoint Detection & Response
- Attack Surface Reduction
- Device Control
- Web Protection
- Network Protection
Management Architecture
Microsoft Endpoint Manager (MDM) = Microsoft Intune admin Center
- Antivirus
- Disk Encryption
- Firewall
- Endpoint Detection and Response
- Endpoint Privilege Management
- Account Protection
- App Control
- Attack surface reduction
- Device Compliance
- Conditional Access
MDE Configuration Management:
Integrate with Intune
From : https://security.microsoft.com/securitysettings/endpoints/
From Intune: https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/
RBAC
Example:
Organization Chart with RBAC Role, Device Tag, Device Name
1. RBAC
Best practice:
1. Create Azure AD User Groups
2. Configure MDE RBAC
3. Create Device Tags
4. Create Device Groups
Microsoft Defender – System – settings – Endpoints – Permissions – Roles
Device Group
Microsoft Defender – System – settings – Endpoints – Permissions – Device groups
It will take some time to show the device numbers in the group.
Onboarding
Auto Enroll for Azure Environment:
Azure AD / Entra ID – Manage – Mobility (MDM and WIP) – Microsoft Intune
Device onboarded by MDE
Use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices not enrolled with Intune
https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration
How does it work?
- Devices onboard to Microsoft Defender for Endpoint.
- Devices communicate with Intune. This communication enables Microsoft Intune to distribute policies that are targeted to the devices when they check in.
- A registration is established for each device in Microsoft Entra ID:
- If a device previously was fully registered, like a Hybrid Join device, the existing registration is used.
- For devices that aren’t registered, a synthetic device identity is created in Microsoft Entra ID to enable the device to retrieve policies. When a device with a synthetic registration has a full Microsoft Entra registration created for it, the synthetic registration is removed and the devices management continues on uninterrupted by using the full registration.
- Defender for Endpoint reports the status of the policy back to Microsoft Intune.
Device onboarded by Intune
https://intune.microsoft.com/#home
Assign to all users or specific group(s):
Manually onboarding single device / user.
We can use SCCM, MDE, Intune to push deployment packages to endpoints.
For those orphan devices, there is local script for different OS to be downloaded and installed on them.
Off-boarding
Off-boarding
Once onboarded, it will show last report time and will become inactive status after 7 days.
Inactive device
but can’t delete it
It will be auto-purged in 6 months.
Command line:
- get-mppreference
PS C:\Users\nestorw> Get-MpPreference
AllowDatagramProcessingOnWinServer : False
AllowNetworkProtectionDownLevel : False
AllowNetworkProtectionOnWinServer : False
AllowSwitchToAsyncInspection : False
ApplyDisableNetworkScanningToIOAV : False
AttackSurfaceReductionOnlyExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_Actions : {1, 1, 1, 1…}
AttackSurfaceReductionRules_Ids : {01443614-cd74-433a-b99e-2ecdc07bfc25,
01443614-CD74-433A-B99E2ECDC07BFC25,
26190899-1602-49e8-8b27-eb1d0a1ce869,
3B576869-A4EC-4529-8536-B80A7769E899…}
AttackSurfaceReductionRules_RuleSpecificExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_RuleSpecificExclusions_Id : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionAggressiveness : 0
BruteForceProtectionConfiguredState : 0
BruteForceProtectionExclusions : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionLocalNetworkBlocking : False
BruteForceProtectionMaxBlockTime : 0
BruteForceProtectionSkipLearningPeriod : False
CheckForSignaturesBeforeRunningScan : False
CloudBlockLevel : 2
CloudExtendedTimeout : 50
ComputerID : 53478E7B-6656-4EC1-AC79-1BDE55590FE3
ControlledFolderAccessAllowedApplications : {N/A: Must be an administrator to view exclusions}
ControlledFolderAccessDefaultProtectedFolders : {N/A: Must be an administrator to view default protected
folders}
ControlledFolderAccessProtectedFolders :
DefinitionUpdatesChannel : 0
DisableArchiveScanning : False
DisableAutoExclusions : False
DisableBehaviorMonitoring : False
DisableBlockAtFirstSeen : False
DisableCacheMaintenance : False
DisableCatchupFullScan : True
DisableCatchupQuickScan : True
DisableCoreServiceECSIntegration : False
DisableCoreServiceTelemetry : False
DisableCpuThrottleOnIdleScans : True
DisableDatagramProcessing : False
DisableDnsOverTcpParsing : False
DisableDnsParsing : False
DisableEmailScanning : False
DisableFtpParsing : False
DisableGradualRelease : False
DisableHttpParsing : False
DisableInboundConnectionFiltering : False
DisableIOAVProtection : False
DisableNetworkProtectionPerfTelemetry : False
DisablePrivacyMode : False
DisableQuicParsing : False
DisableRdpParsing : False
DisableRealtimeMonitoring : False
DisableRemovableDriveScanning : False
DisableRestorePoint : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : False
DisableSmtpParsing : False
DisableSshParsing : False
DisableTamperProtection : False
DisableTlsParsing : False
EnableControlledFolderAccess : 1
EnableConvertWarnToBlock : False
EnableDnsSinkhole : True
EnableEcsConfiguration : False
EnableFileHashComputation : False
EnableFullScanOnBatteryPower : False
EnableLowCpuPriority : False
EnableNetworkProtection : 1
EnableUdpReceiveOffload : False
EnableUdpSegmentationOffload : False
EngineUpdatesChannel : 3
ExclusionExtension : {N/A: Must be an administrator to view exclusions}
ExclusionIpAddress : {N/A: Must be an administrator to view exclusions}
ExclusionPath : {N/A: Must be an administrator to view exclusions}
ExclusionProcess : {N/A: Must be an administrator to view exclusions}
ForceUseProxyOnly : False
HideExclusionsFromLocalUsers : True
HighThreatDefaultAction : 0
IntelTDTEnabled :
LowThreatDefaultAction : 0
MAPSReporting : 2
MeteredConnectionUpdates : False
ModerateThreatDefaultAction : 0
NetworkProtectionReputationMode : 0
OobeEnableRtpAndSigUpdate : False
PerformanceModeStatus : 1
PlatformUpdatesChannel : 3
ProxyBypass :
ProxyPacUrl :
ProxyServer :
PUAProtection : 1
QuarantinePurgeItemsAfterDelay : 90
QuickScanIncludeExclusions : 0
RandomizeScheduleTaskTimes : True
RealTimeScanDirection : 0
RemediationScheduleDay : 0
RemediationScheduleTime : 02:00:00
RemoteEncryptionProtectionAggressiveness : 0
RemoteEncryptionProtectionConfiguredState : 0
RemoteEncryptionProtectionExclusions : {N/A: Must be an administrator to view exclusions}
RemoteEncryptionProtectionMaxBlockTime : 0
RemoveScanningThreadPoolCap : False
ReportDynamicSignatureDroppedEvent : False
ReportingAdditionalActionTimeOut : 10080
ReportingCriticalFailureTimeOut : 10080
ReportingNonCriticalTimeOut : 1440
ScanAvgCPULoadFactor : 50
ScanOnlyIfIdleEnabled : True
ScanParameters : 1
ScanPurgeItemsAfterDelay : 15
ScanScheduleDay : 0
ScanScheduleOffset : 120
ScanScheduleQuickScanTime : 00:00:00
ScanScheduleTime : 02:00:00
SchedulerRandomizationTime : 4
ServiceHealthReportInterval : 60
SevereThreatDefaultAction : 0
SharedSignaturesPath :
SharedSignaturesPathUpdateAtScheduledTimeOnly : False
SignatureAuGracePeriod : 0
SignatureBlobFileSharesSources :
SignatureBlobUpdateInterval : 60
SignatureDefinitionUpdateFileSharesSources :
SignatureDisableUpdateOnStartupWithoutEngine : False
SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 3
SubmitSamplesConsent : 1
ThreatIDDefaultAction_Actions :
ThreatIDDefaultAction_Ids :
ThrottleForScheduledScanOnly : True
TrustLabelProtectionStatus : 0
UILockdown : False
UnknownThreatDefaultAction : 0
PSComputerName :
PS C:\Users\nestorw>
Here are ways to check the sensor to see if system is offboarded. I have not run these to double check. For Windows:
sc query sense
C:\Users\nestorw>sc query sense
SERVICE_NAME: sense
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Users\nestorw>
- If the
sense
service is not found or is stopped, the device might be off-boarded.
- Check the Registry:
- Open Registry Editor (
regedit
). - Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status
. - Look for the
OnboardingState
value. If it is set to0
, the device is off-boarded.
- Open Registry Editor (
- Event Logs:
- Open Event Viewer.
- Navigate to
Applications and Services Logs > Microsoft > Windows > SENSE > Operational
. - Look for Event ID 20 or 44, which indicate off-boarding events.
Get-MpComputerStatus Will let you know what mode and a host of other information on MDE running on the device.
Next Generation Protection
Attack Surface Reduction
- HW based isolation
- Application control
- Exploit protection
- Network protection
- Controlled folder access
- Device control
- Web protection
- Ransomware protection
What is used for:
- Isolate access to untrusted sites
- Isolate access to untrusted Office files
- Host intrusion prevention
- Exploit mitigation
- Ransomware protection for your files
- Block traffic to low reputation destinations
- Protect your legacy applications
- Only allow trusted applications to run
Attack Surface Reduction (ASR) Rules
Minimize the attack surface: Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as behavior of Office macros.
- Block Office apps from creating executable content
- Block Office apps from creating child processes
- Block Office apps from injecting code into other processes
- Block Win32 API calls from Office macros
- Block Adobe Reader from creating child processes
- Block executable content from email client and webmail
- Block only Office communication applications from creating child processes
- Block obfuscated JS/VBS/PS/macro code
- Block JS/VBS from launching downloaded executable content
- Block executable files from running unless they meet a prevalence (1000 machines), age (24hrs), or trusted list criteria
- Block untrusted and unsigned processes that run from USB
- Use advanced protection against ransomware
- Block process creations originating from PSExecand WMI commands
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block persistence through WMI event subscription
Detection & Response
Endpoint Detection & Response:
- Correlated post-breach detection
- Investigation experience
- Incident
- Advanced hunting
- Response actions (+EDR blocks)
- Deep file analysis
- Live response
- Threat analytics
Live Response
- Real-time live connection to a remote system
- Leverage Microsoft Defender for Endpoint Auto IR library (memory dump, MFT analysis, raw filesystem access, etc.)
- Extended remediation command + easy undo
- Full audit
- Extendable (write your own command, build your own tool)
- RBAC+ Permissions
No AIR defined Playbook in Defender. But you can define your own playbook in Sentinel.
Response Actions on a Device
Response actions on a file
Reports
Prevention
Investigation
Detection & Investigation
Notification
Normal Notification
References
- Supported Microsoft Defender for Endpoint capabilities by platform
- Investigate entities on devices using live response
- Microsoft Defender for Endpoint – demonstration scenarios – https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstrations
- Microsoft Defender Antivirus: Your next generation protection
- Learn about our approach to fileless threats
- Stopping attacks in their tracks through behavioral blocking and containment
- EDR in block mode
- Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner
Architecture
- Understand the architecture of the service
Onboarding
- Onboarding machines
- Deploy Microsoft Defender ATP for Mac in just a few clicks
- Deploy Microsoft Defender ATP in rings
- Microsoft Defender for Endpoint for iOS
- Microsoft Defender for Endpoint for Linux
- Onboarding and servicing non-persistent VDI machines
- Configuring Microsoft Defender Antivirus for non-persistent VDI machines
Grant and control access
- Use basic permissions to access the portal
- How to use RBAC
- How to use tagging effectively (Part 1)
- How to use tagging effectively (Part 2)
- How to use tagging effectively (Part 3)
- Multi-tenant access for Managed Security Service Providers
- Step-by-step: Multi-tenant access for Managed Security Service Providers
Security configuration
- Use Microsoft Endpoint Manager to manage security configuration
- Manage Microsoft Defender Firewall with Microsoft Defender ATP and Microsoft Intune
- Turn on tamper protection
- Co-Management
- Learn about all the features to help you reduce the attack surface
- Track and regulate access to websites with web content filtering
- Learn more about Application control
- Get a better understanding of Network protection
- Understand attack surface reduction rules
- How to configure attack surface reduction rules and how to use exclusions
- How to report and troubleshoot Microsoft Defender ATP ASR Rules
- Migrate from a 3rd party HIPS solution into ASR rules
- Reputation analysis – Microsoft Defender SmartScreen
- Microsoft Defender Antivirus: Your next generation protection
- Learn about our approach to fileless threats
- Stopping attacks in their tracks through behavioral blocking and containment
- EDR in block mode
- Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner
- Overview of live response
- Investigate entities on devices using live response
- Response actions on machines
- Response actions on a file
- Part 0: Microsoft Defender for Endpoint – The ultimate blog series (Intro)
- Part 1: What is Defender for Endpoint and how works the product?
- Part 2: Configuring Defender for Endpoint Portal
- Part 3: Onboarding methods
- Part 3A: Onboard using MEM
- Part 3B: Onboarding using Defender for Cloud
- part 3C: Onboard using Azure Arc
- Part 3D: Onboard using MECM/ GPO
- Part 4: Configuration of Defender for Endpoint/ NGP/ AV
- part 4A: Define the AV policy baseline
- Part 4B: Attack Surface reduction and additional protection
- Part 5: Threat Vulnerability Management
- Part 6: Troubleshooting and reporting
- Part 7: Integrations with other “Microsoft” products
- Part 8: Advanced hunting and custom detections
- Part 9: Automation via Logic Apps and Sentinel
- Part 10: Tips and tricks/ common mistakes