This is the post to collect some Notes from a lab practice.

Management

Endpoint Security Stack: 

  1. Antivirus
  2. Disk Encryption
  3. Firewall
  4. Endpoint Detection & Response
  5. Attack Surface Reduction
  6. Device Control
  7. Web Protection
  8. Network Protection

Management Architecture

Microsoft Endpoint Manager (MDM) = Microsoft Intune admin Center

  • Antivirus
  • Disk Encryption
  • Firewall
  • Endpoint  Detection and Response
  • Endpoint Privilege Management
  • Account Protection
  • App Control
  • Attack surface reduction
  • Device Compliance
  • Conditional Access

MDE Configuration Management:

Integrate with Intune

If MDE was not configured properly to connect to Intune, you will get following screenshot to show no connection and no last sync.

From : https://security.microsoft.com/securitysettings/endpoints/

From Intune: https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/

RBAC

Example:

Organization Chart with RBAC Role, Device Tag, Device Name

1. RBAC 

Best practice:

1. Create Azure AD User Groups

2. Configure MDE RBAC

3. Create Device Tags

4. Create Device Groups

Microsoft Defender – System – settings – Endpoints – Permissions – Roles

Device Group

Microsoft Defender – System – settings – Endpoints – Permissions – Device groups

It will take some time to show the device numbers in the group.

 

Onboarding

Auto Enroll for Azure Environment:

Azure AD / Entra ID – Manage – Mobility (MDM and WIP) – Microsoft Intune

Device onboarded by MDE

https://security.microsoft.com/

Use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices not enrolled with Intune

 https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration

How does it work?

Conceptual diagram of the Microsoft Defender for Endpoint security configuration management solution

  1. Devices onboard to Microsoft Defender for Endpoint.
  2. Devices communicate with Intune. This communication enables Microsoft Intune to distribute policies that are targeted to the devices when they check in.
  3. A registration is established for each device in Microsoft Entra ID:
    • If a device previously was fully registered, like a Hybrid Join device, the existing registration is used.
    • For devices that aren’t registered, a synthetic device identity is created in Microsoft Entra ID to enable the device to retrieve policies. When a device with a synthetic registration has a full Microsoft Entra registration created for it, the synthetic registration is removed and the devices management continues on uninterrupted by using the full registration.
  4. Defender for Endpoint reports the status of the policy back to Microsoft Intune.

Device onboarded by Intune

https://intune.microsoft.com/#home

Create a

Assign to all users or specific group(s):

Add all users and all devices for assignment. 

Manually onboarding single device / user.

We can use SCCM, MDE, Intune to push deployment packages to endpoints.

For those orphan devices, there is local script for different OS to be downloaded and installed on them.

Off-boarding

Off-boarding

Once onboarded, it will show last report time and will become inactive status after 7 days. 

Inactive device 

but can’t delete it

It will be auto-purged in 6 months. 

Command line: 

  • get-mppreference

PS C:\Users\nestorw> Get-MpPreference

AllowDatagramProcessingOnWinServer                    : False
AllowNetworkProtectionDownLevel                       : False
AllowNetworkProtectionOnWinServer                     : False
AllowSwitchToAsyncInspection                          : False
ApplyDisableNetworkScanningToIOAV                     : False
AttackSurfaceReductionOnlyExclusions                  : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_Actions                   : {1, 1, 1, 1…}
AttackSurfaceReductionRules_Ids                       : {01443614-cd74-433a-b99e-2ecdc07bfc25,
                                                        01443614-CD74-433A-B99E2ECDC07BFC25,
                                                        26190899-1602-49e8-8b27-eb1d0a1ce869,
                                                        3B576869-A4EC-4529-8536-B80A7769E899…}
AttackSurfaceReductionRules_RuleSpecificExclusions    : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_RuleSpecificExclusions_Id : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionAggressiveness                    : 0
BruteForceProtectionConfiguredState                   : 0
BruteForceProtectionExclusions                        : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionLocalNetworkBlocking              : False
BruteForceProtectionMaxBlockTime                      : 0
BruteForceProtectionSkipLearningPeriod                : False
CheckForSignaturesBeforeRunningScan                   : False
CloudBlockLevel                                       : 2
CloudExtendedTimeout                                  : 50
ComputerID                                            : 53478E7B-6656-4EC1-AC79-1BDE55590FE3
ControlledFolderAccessAllowedApplications             : {N/A: Must be an administrator to view exclusions}
ControlledFolderAccessDefaultProtectedFolders         : {N/A: Must be an administrator to view default protected
                                                        folders}
ControlledFolderAccessProtectedFolders                :
DefinitionUpdatesChannel                              : 0
DisableArchiveScanning                                : False
DisableAutoExclusions                                 : False
DisableBehaviorMonitoring                             : False
DisableBlockAtFirstSeen                               : False
DisableCacheMaintenance                               : False
DisableCatchupFullScan                                : True
DisableCatchupQuickScan                               : True
DisableCoreServiceECSIntegration                      : False
DisableCoreServiceTelemetry                           : False
DisableCpuThrottleOnIdleScans                         : True
DisableDatagramProcessing                             : False
DisableDnsOverTcpParsing                              : False
DisableDnsParsing                                     : False
DisableEmailScanning                                  : False
DisableFtpParsing                                     : False
DisableGradualRelease                                 : False
DisableHttpParsing                                    : False
DisableInboundConnectionFiltering                     : False
DisableIOAVProtection                                 : False
DisableNetworkProtectionPerfTelemetry                 : False
DisablePrivacyMode                                    : False
DisableQuicParsing                                    : False
DisableRdpParsing                                     : False
DisableRealtimeMonitoring                             : False
DisableRemovableDriveScanning                         : False
DisableRestorePoint                                   : True
DisableScanningMappedNetworkDrivesForFullScan         : True
DisableScanningNetworkFiles                           : False
DisableScriptScanning                                 : False
DisableSmtpParsing                                    : False
DisableSshParsing                                     : False
DisableTamperProtection                               : False
DisableTlsParsing                                     : False
EnableControlledFolderAccess                          : 1
EnableConvertWarnToBlock                              : False
EnableDnsSinkhole                                     : True
EnableEcsConfiguration                                : False
EnableFileHashComputation                             : False
EnableFullScanOnBatteryPower                          : False
EnableLowCpuPriority                                  : False
EnableNetworkProtection                               : 1
EnableUdpReceiveOffload                               : False
EnableUdpSegmentationOffload                          : False
EngineUpdatesChannel                                  : 3
ExclusionExtension                                    : {N/A: Must be an administrator to view exclusions}
ExclusionIpAddress                                    : {N/A: Must be an administrator to view exclusions}
ExclusionPath                                         : {N/A: Must be an administrator to view exclusions}
ExclusionProcess                                      : {N/A: Must be an administrator to view exclusions}
ForceUseProxyOnly                                     : False
HideExclusionsFromLocalUsers                          : True
HighThreatDefaultAction                               : 0
IntelTDTEnabled                                       :
LowThreatDefaultAction                                : 0
MAPSReporting                                         : 2
MeteredConnectionUpdates                              : False
ModerateThreatDefaultAction                           : 0
NetworkProtectionReputationMode                       : 0
OobeEnableRtpAndSigUpdate                             : False
PerformanceModeStatus                                 : 1
PlatformUpdatesChannel                                : 3
ProxyBypass                                           :
ProxyPacUrl                                           :
ProxyServer                                           :
PUAProtection                                         : 1
QuarantinePurgeItemsAfterDelay                        : 90
QuickScanIncludeExclusions                            : 0
RandomizeScheduleTaskTimes                            : True
RealTimeScanDirection                                 : 0
RemediationScheduleDay                                : 0
RemediationScheduleTime                               : 02:00:00
RemoteEncryptionProtectionAggressiveness              : 0
RemoteEncryptionProtectionConfiguredState             : 0
RemoteEncryptionProtectionExclusions                  : {N/A: Must be an administrator to view exclusions}
RemoteEncryptionProtectionMaxBlockTime                : 0
RemoveScanningThreadPoolCap                           : False
ReportDynamicSignatureDroppedEvent                    : False
ReportingAdditionalActionTimeOut                      : 10080
ReportingCriticalFailureTimeOut                       : 10080
ReportingNonCriticalTimeOut                           : 1440
ScanAvgCPULoadFactor                                  : 50
ScanOnlyIfIdleEnabled                                 : True
ScanParameters                                        : 1
ScanPurgeItemsAfterDelay                              : 15
ScanScheduleDay                                       : 0
ScanScheduleOffset                                    : 120
ScanScheduleQuickScanTime                             : 00:00:00
ScanScheduleTime                                      : 02:00:00
SchedulerRandomizationTime                            : 4
ServiceHealthReportInterval                           : 60
SevereThreatDefaultAction                             : 0
SharedSignaturesPath                                  :
SharedSignaturesPathUpdateAtScheduledTimeOnly         : False
SignatureAuGracePeriod                                : 0
SignatureBlobFileSharesSources                        :
SignatureBlobUpdateInterval                           : 60
SignatureDefinitionUpdateFileSharesSources            :
SignatureDisableUpdateOnStartupWithoutEngine          : False
SignatureFallbackOrder                                : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod                           : 120
SignatureScheduleDay                                  : 8
SignatureScheduleTime                                 : 01:45:00
SignatureUpdateCatchupInterval                        : 1
SignatureUpdateInterval                               : 3
SubmitSamplesConsent                                  : 1
ThreatIDDefaultAction_Actions                         :
ThreatIDDefaultAction_Ids                             :
ThrottleForScheduledScanOnly                          : True
TrustLabelProtectionStatus                            : 0
UILockdown                                            : False
UnknownThreatDefaultAction                            : 0
PSComputerName                                        :


PS C:\Users\nestorw>


Here are ways to check the sensor to see if system is offboarded.  I have not run these to double check.  For Windows:

  • sc query sense

C:\Users\nestorw>sc query sense

SERVICE_NAME: sense
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Users\nestorw>

  • If the sense service is not found or is stopped, the device might be off-boarded.
  1. Check the Registry:
    • Open Registry Editor (regedit).
    • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
    • Look for the OnboardingState value. If it is set to 0, the device is off-boarded.
  2. Event Logs:
    • Open Event Viewer.
    • Navigate to Applications and Services Logs > Microsoft > Windows > SENSE > Operational.
    • Look for Event ID 20 or 44, which indicate off-boarding events.

 

Get-MpComputerStatus  Will let you know what mode and a host of other information on MDE running on the device.

Next Generation Protection

Attack Surface Reduction

Resist attacks and exploitations
  • HW based isolation
  • Application control
  • Exploit protection
  • Network protection
  • Controlled folder access
  • Device control
  • Web protection
  • Ransomware protection

What is used for:

  • Isolate access to untrusted sites
  • Isolate access to untrusted Office files
  • Host intrusion prevention
  • Exploit mitigation
  • Ransomware protection for your files
  • Block traffic to low reputation destinations
  • Protect your legacy applications
  • Only allow trusted applications to run

Attack Surface Reduction (ASR) Rules

Minimize the attack surface:  Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as behavior of Office macros.

Productivity apps rules
  • Block Office apps from creating executable content
  • Block Office apps from creating child processes
  • Block Office apps from injecting code into other processes
  • Block Win32 API calls from Office macros
  • Block Adobe Reader from creating child processes
Email rule
  • Block executable content from email client and webmail
  • Block only Office communication applications from creating child processes
Script rules
  • Block obfuscated JS/VBS/PS/macro code
  • Block JS/VBS from launching downloaded executable content
Polymorphic threats
  • Block executable files from running unless they meet a prevalence (1000 machines), age (24hrs), or trusted list criteria
  • Block untrusted and unsigned processes that run from USB
  • Use advanced protection against ransomware
Lateral movement & credential theft
  • Block process creations originating from PSExecand WMI commands
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block persistence through WMI event subscription
Web Threat Protection Architecture

Detection & Response

Endpoint Detection & Response:

  • Correlated post-breach detection
  • Investigation experience
  • Incident
  • Advanced hunting
  • Response actions (+EDR blocks)
  • Deep file analysis
  • Live response
  • Threat analytics

Live Response

  • Real-time live connection to a remote system
  • Leverage Microsoft Defender for Endpoint Auto IR library (memory dump, MFT analysis, raw filesystem access, etc.)
    • Extended remediation command + easy undo
  • Full audit
  • Extendable (write your own command, build your own tool)
  • RBAC+ Permissions

Microsoft 365 Defender Automated Investigation & Response (AIR)
Microsoft AIR mimics these steps using 15 built-in investigations playbooks and 20 remediation actions

No AIR defined Playbook in Defender. But you can define your own playbook in Sentinel.

What response actions should be covered?

Response Actions on a Device

1. Manage tags
2. Initiate Automated Investigation
3. Initiate Live Response Session
4. Collect investigation package from devices
5. Run Microsoft Defender Antivirus scan on devices
6. Restrict app execution
7. Isolate devices from the network
8. Contain devices from the network
9. Consult a threat expert
10. Check activity details in Action center
11. Turn on Troubleshooting mode
Take response actions on a device: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts

Response actions on a file

1. Stop and quarantine files in your network
2. Restore file from quarantine
3. Download or collect file
4. Add indicator to block or allow a file
5. Consult a threat expert
6. Check activity details in Action center
7. Deep analysis
Take response actions on a file: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts

Reports

 

Prevention

Features How to Demonstrate
Windows Defender Exploit Guard Attack Surface Reduction Rules Attack Surface Reduction – Microsoft Defender
Windows Defender Exploit Guard Controlled Folder Access Controlled Folder Access – Microsoft Defender
Windows Defender Exploit Guard Network Protection Network Protection – Microsoft Defender
Windows Defender SmartScreen URL Reputation UrlRep – Microsoft Defender
Windows Defender SmartScreen App Reputation AppRep – Microsoft Defender Testground
Microsoft Defender for Endpoint Web Content Filtering Demo (Block SNS & Access to ex. facebook.com)
Microsoft Defender for Endpoint Indicators (URL / IP / Domain)
Demo (Specify URL & Access to the URL)
*There may be up to 2 hours of latency
Attack Surface Reduction (ASR)
ASR Rules in Intune:

URL Filtering, and 

Anti Virus

Investigation

Detection & Investigation

Review incident & Alerts

 Results of review:

Actions:
1. isolate device
2. Copilot for security
3. Alerts
4. File submission as indicator
5. virustotal hash
6. Auto invesitigation

Notification

 Normal Notification

Create Incident Alert

Create vulnerability alert

References

Next generation protection
  • Microsoft Defender Antivirus: Your next generation protection
  • Learn about our approach to fileless threats
  • Stopping attacks in their tracks through behavioral blocking and containment
  • EDR in block mode
  • Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner

Architecture

  • Understand the architecture of the service

Onboarding

  • Onboarding machines
  • Deploy Microsoft Defender ATP for Mac in just a few clicks
  • Deploy Microsoft Defender ATP in rings
  • Microsoft Defender for Endpoint for iOS
  • Microsoft Defender for Endpoint for Linux
  • Onboarding and servicing non-persistent VDI machines
  • Configuring Microsoft Defender Antivirus for non-persistent VDI machines

Grant and control access

  • Use basic permissions to access the portal
  • How to use RBAC
  • How to use tagging effectively (Part 1)
  • How to use tagging effectively (Part 2)
  • How to use tagging effectively (Part 3)
  • Multi-tenant access for Managed Security Service Providers
  • Step-by-step: Multi-tenant access for Managed Security Service Providers

Security configuration

  • Use Microsoft Endpoint Manager to manage security configuration
  • Manage Microsoft Defender Firewall with Microsoft Defender ATP and Microsoft Intune
  • Turn on tamper protection
  • Co-Management
Attack Surface Reduction
  • Learn about all the features to help you reduce the attack surface
  • Track and regulate access to websites with web content filtering
  • Learn more about Application control
  • Get a better understanding of Network protection
  • Understand attack surface reduction rules
  • How to configure attack surface reduction rules and how to use exclusions
  • How to report and troubleshoot Microsoft Defender ATP ASR Rules
  • Migrate from a 3rd party HIPS solution into ASR rules
  • Reputation analysis – Microsoft Defender SmartScreen
Next generation protection
  • Microsoft Defender Antivirus: Your next generation protection
  • Learn about our approach to fileless threats
  • Stopping attacks in their tracks through behavioral blocking and containment
  • EDR in block mode
  • Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner
Responding to threats
  • Overview of live response
  • Investigate entities on devices using live response
  • Response actions on machines
  • Response actions on a file

By netsec

Leave a Reply