User Spam & Phish Submissions configuration in Office 365 – Part 1

Posted onLeave a comment

Yesterday I noticed a tweet from @Pawp81 about a new feature being rolled out in Office 365 to configure user submissions. So, let’s have a look at this. When enabling the ‘Report Message’ add-in in Office 365, users can report misclassified email, whether safe or malicious, to Microsoft and its affiliates for analysis. Until now IT admins had to deploy the ‘Report Message’ add-in to their end users by configuring the centralized add-in deployment within Read More …

Microsoft Threat Protection – Using advanced hunting to see what’s going on with your mail

Posted onLeave a comment

Last December Microsoft introduced Microsoft Threat Protection (MTP) including advanced hunting that allows us to run queries across multiple data sources i.e. Microsoft Defender ATP and Office 365 ATP. If you haven’t heard yet about MTP I recommend reading Christian Müller’s blog post Microsoft Threat Protection – unified hunting Now while the primary purpose of the unified hunting capability is to find information about indicators and entities, we can also use it to get an Read More …

PowerShell 7 – Group Policy Settings and Eventlogs

Posted onLeave a comment

On December 16th Joey announced the availability of the PowerShell 7.0 release candidate. Time to look at the configuration options. Since I’m interested in the aspects of managing these settings within an enterprise environment, I closely followed the discussions on GitHub here https://github.com/PowerShell/PowerShell/pull/10468 and here https://github.com/PowerShell/PowerShell/issues/9309 and the outcome of these discussions is documented here https://github.com/PowerShell/PowerShell-RFC/blob/master/4-Experimental-Accepted/RFC0041-Policy.md Installation Now let’s look what options we have for the configuration of logging PowerShell 7 events. Let’s start with Read More …

Setting up Kali in Windows 10 WSL 2.0

Posted on1 Comment

Since Microsoft introduced WSL (Windows Subsystem for Linux) I’ve been playing with it occasionally, in the beginning however some of the tools I wanted to use like nmap and hping3 would not work due to issues with networking in WSL 1.0, however with WSL 2.0 these issues seem to be resolved so gave it another try earlier this year in June and all worked as expected. What’s nice about running kali in WSL is that Read More …

Microsoft Defender Advanced Threat Protection – Respond Actions Events

Posted onLeave a comment

Hey there, to be honest I had some difficulties to find the right title for todays blog post, so if you are still wondering here’s what this is all about. I had a customer asking me “how can we see what MDATP Respond actions were taken on a particular machine both from a Console and client perspective?“. At the time of writing this blog post we have the following machine response actions that trigger a Read More …

How to identify orphan Group Policy content within the Sysvol folder

Posted onLeave a comment

G’day everyone. Today I was working on a Microsoft Security Configuration baseline implementation and while browsing through the Sysvol folder I got the impression that there are less GPO objects stored within AD compared to the number of GPO content folders located within the Sysvol\Policies folder. As we speak about several hundred folders here, too many to count manually, and so another PowerShell script was born. Now if the terms SYSVOL, policies folder doesn’t mean Read More …

How to generate a monthly Defender ATP Threat and Vulnerability Report

Posted on4 Comments

Update 11 January 2020 – Microsoft has updated the Advanced Hunting Schema, so ComputerName is now DeviceName in the queries. Just recently Microsoft announced that the Defender ATP advanced hunting schema was extended with the following tables: DeviceTvmSoftwareInventoryVulnerabilities DeviceTvmSoftwareVulnerabilitiesKB DeviceTvmSecureConfigurationAssessment DeviceTvmSecureConfigurationAssessmentKB This allows us to run advanced hunting queries to find and extract Defender ATP TVM data. View the code on Gist. Now the people in your organization who are responsible for threat and vulnerability Read More …

Windows Defender, More than just Antivirus – Part 2

Posted onLeave a comment

In the previous post I provided an overview of the history of Windows Defender and an overview of the various features that have the name Windows Defender in them. When then looked at Windows Defender SmartScreen and Windows Defender Cloud based protection. Today I’d like to continue with my notes from the field and personal experiences and take a look at Windows Defender Exploit guard. Again, the objective of this blog post is to inspire Read More …

Microsoft Defender ATP Advanced Hunting – Who’s logging on with local admin rights?

Posted onLeave a comment

If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out who’s logging on with local administrators’ rights. But first when would you want to run this? Well here are some scenarios I can think of: You want to find users that have local administrator rights on their devices. You introduced LAPS and instructed your IT support to no longer use their own credentials but use Read More …

Windows Defender, More than just Antivirus – Part 1

Posted on1 Comment

Due to my professional activity as a Cyber Security Consultant, I regularly speak with customers about Windows Defender and find that many are not fully aware of all the features and capabilities that Windows Defender offers. Also, when reviewing existing implementations, I’ve noticed a pattern of some common issues. I guess the blog post title ‘Windows Defender, more than just Antivirus’ says it all. The objective of today’s blog post is to provide you with Read More …