Deploying Defender ASR – Block persistence through WMI event subscription

Last week Microsoft released the DRAFT Security baseline for Windows 10 and Windows Server, version 20H2. Although available since Windows 10 1903, the attack surface reduction rule ‘Block persistence through WMI event subscription’ is now being included into the recommended security control configurations. The technique is included in the MITRE ATT&CK framework: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription When we head over to the Microsoft docs, Block persistence through WMI event subscription Read More …

Finding Ignite 2020 and Tech Community video hub content with PowerShell

This week at Ignite 2020 Microsoft delivered 811 sessions. Although I did attend several sessions during the live event, I was not able to join all the sessions I wanted to. But luckily most of the sessions are recorded so they can be watched online or if you prefer you can download the video and content. Like every year, Microsoft provides a PowerShell script to download all the content or specific sessions. When you click Read More …

Generating Advanced hunting queries with PowerShell

I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below Read More …

User Spam & Phish Submissions configuration in Office 365 – Part 1

Yesterday I noticed a tweet from @Pawp81 about a new feature being rolled out in Office 365 to configure user submissions. So, let’s have a look at this. When enabling the ‘Report Message’ add-in in Office 365, users can report misclassified email, whether safe or malicious, to Microsoft and its affiliates for analysis. Until now IT admins had to deploy the ‘Report Message’ add-in to their end users by configuring the centralized add-in deployment within Read More …

PowerShell 7 – Group Policy Settings and Eventlogs

On December 16th Joey announced the availability of the PowerShell 7.0 release candidate. Time to look at the configuration options. Since I’m interested in the aspects of managing these settings within an enterprise environment, I closely followed the discussions on GitHub here https://github.com/PowerShell/PowerShell/pull/10468 and here https://github.com/PowerShell/PowerShell/issues/9309 and the outcome of these discussions is documented here https://github.com/PowerShell/PowerShell-RFC/blob/master/4-Experimental-Accepted/RFC0041-Policy.md Installation Now let’s look what options we have for the configuration of logging PowerShell 7 events. Let’s start with Read More …

Importing GPO Security Baselines with PowerShell

Okay there’s this rule , if you do something manually for the third time, it’s about time to think of automating it. Here’s a script that I created to create Group Policy Objects and import the security baseline settings. The script will work with any security baseline that is provided with Group Policy backups e.g. Microsoft Security baseline, CIS, NSA. Let me show you this with an example: First download the latest Microsoft Security baseline Read More …

Extract ConfigMgr Script Status Results with PowerShell

During a recent customer engagement I had to collect the size of user profiles across a large number of devices. I was first thinking of using a script that would collect the information we need, store it into a custom WMI table and then collect the data using ConfigMgr hardware inventory, but since we only needed a one time snapshot of this information I decided against that idea. The next option would be to go Read More …

ConfigMgr CMPivot , the PowerShell Script, the Events…

While working with CMPivot this week, I wanted to find out how locally on the client the data is collected, I already knew that when you execute a CMPivot query from the ConfigMgr console, it will run the query on the target device and returns the result back to ConfigMgr. While investigating I also came across this blog post CM Pivot Internals that describes how things work, nevertheless I wanted to dig a bit deeper. Read More …

The case of Running the Device and Credential Guard Hardware Readiness Tool and unknown architecture

To close this week, let me share my findings with you about running the Windows Device and Credential Guard Hardware Readiness Tool and the unknown architecture error. Believe it or not, there are still people, probably more than I assume, that run Windows in their native language instead of English. I can understand when end users do so, but honestly when administrating an infrastructure? Anyway, I recently worked for a client where the UI is Read More …

Exploring Microsoft Cloud App Security with PowerShell – Part1

Last Friday I was given the opportunity to present at the Configuration Manager Community Event (CMCE1905) in Bern, Switzerland. Although Microsoft Cloud App Security is not really related to ConfigMgr, many of the attendees are dealing with managing classic and modern workplaces and security is almost on everyone’s list of interest. During my session “Unleash the power of Microsoft Cloud App Security” I also demonstrated how one can explore information within Microsoft Cloud App Security Read More …