Preparing my Application Guard for Office test lab

Hello everyone, today I wanted to see application guard for office in action. If you are not familiar with application guard for office, I suggest you read the following articles / documentation. Microsoft Defender Application Guard for Office Application Guard for Office And now let me walk you through the steps to get application guard for office working in your test lab. Deploy Windows 10 20H1 or 20H2 When running your test client in Hyper-V Read More …

MTP Advanced Hunting – Public free E-Mail services

Today I received an e-mail from a customer explaining to me that at times they have false positives with e-mail Impersonation. Depending on your configuration the e-mail will end up being moved to the user’s junk folder or into quarantine. When releasing such a message and have safety tips turned on, you might see the following message at the top of the message. Reading Tip: Protect yourself from phishing schemes and other forms of online Read More …

Hunting for Local Group Membership changes

Hello there, A couple of days ago, someone in a forum asked whether it would be possible to detect changes to the local administrator’s group using Microsoft Defender Advanced Threat protection. Before I continue why would you want to monitor such changes? Well here is what comes to my mind: An attacker tries to maintain persistence, creates an account, and adds it to the local administrator’s group. T1136.001 – Create Account: Local Account A user Read More …

Managing Time Zone and Date formats in Microsoft Defender Security Center

When you receive security alerts or are investigating security related events , the aspect of time is important element. By default, date and time is displayed in Coordinated Universal Time (UTC) within the Microsoft Defender security center portal. In todays’ blog post, I want to provide you with some insights and tips how to manage Timezone and the date time format within the Microsoft Defender security center. Time zones You can use the Time zone Read More …

Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

Hello everyone, during the past months I took a closer look at MITRE ATT&CK to advance my hunting skills using Microsoft Defender Advanced Threat Protection. For those not familiar with MITRE ATT&CK, in short, it is a knowledge base knowledge base of adversary tactics and techniques based on real-world observations. To familiarize myself with MITRE ATT&CK, I first started reading through all the tactics and techniques, to be honest while reading, I often couldn’t resists Read More …

Meet the new Microsoft Defender ATP evaluation lab

This week Hadar Feldmann, senior program manager and security researcher at Microsoft announced the public preview of the new Microsoft Defender ATP evaluation lab that now includes two attack simulation solutions from AttackIQ and SafeBreach. The term ‘evaluation’ might indicate that the lab is only intended for new customers hat are in the process of evaluating Microsoft Defender ATP, but that’s not the case, personally I think that it is also a perfect playground for Read More …

Windows 10 2004 – What is new in the Windows Security App

When all goes well, Microsoft will soon release the next version of Windows 10 aka as Windows 10 2004. I am an active Windows Insider user and noticed a few little changes within the Windows 10 Security App that I think are worth sharing. I used the following Windows 10 builds to identify changes, new features: Windows 10, 1909, Version 10.0.18363.836 Windows 10, 2004, Version 10.0.19628.1 Windows Security App Icon First thing you will notice Read More …

How to deploy your jump host in Azure

Due to the current CODV 19 pandemic, governments are urging their citizens to stay at home. For many people this means finding alternative ways to continue their work from home. This article is primarily aimed at IT administrators or IT consultants who do not have an existing solution in place and who are looking for a simple but secure solution to access their IT infrastructure remotely. When saying existing solutions, I’m referring to remote access Read More …

Importing GPO Security Baselines with PowerShell

Okay there’s this rule , if you do something manually for the third time, it’s about time to think of automating it. Here’s a script that I created to create Group Policy Objects and import the security baseline settings. The script will work with any security baseline that is provided with Group Policy backups e.g. Microsoft Security baseline, CIS, NSA. Let me show you this with an example: First download the latest Microsoft Security baseline Read More …

Microsoft Defender ATP – Live Response

Back in May the Microsoft Defender Advanced Threat Protection team announced the availability of the Live response feature in MDATP. Today I took a closer look at this and thought I’d share my experiences and findings. What’s that live response thing again? “Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions Read More …